https://bugzilla.redhat.com/show_bug.cgi?id=2094948
Bug ID: 2094948
Summary: Unable to log in to accounts from CentOS 7 FreeIPA
Server
Product: Fedora
Version: 36
Status: NEW
Component: sssd
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: mheon(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Description of problem:
I have a CentOS 7 FreeIPA server (ipa-server-4.6.8-5.el7.centos.10.x86_64,
other RPM versions available on request), with several systems joined to the
domain (F35, F36, and CentOS 7). I recently performed a dnf upgrade on one of
the F36 systems, which pulled in sssd 2.7.1 (was previously on 2.7.0). After
the upgrade, I became unable to log into any IPA account. Relevant error
messages below:
Jun 08 11:34:27
Bellerophon.int.lldp.net krb5_child[14823]: Unknown code UUz
100
Jun 08 11:34:27
Bellerophon.int.lldp.net gdm-password][14818]:
pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0
tty=/dev/tty1 ruser= rhost= user=mheon
Jun 08 11:34:27
Bellerophon.int.lldp.net gdm-password][14818]:
pam_sss(gdm-password:auth): received for user mheon: 4 (System error)
Jun 08 11:34:27
Bellerophon.int.lldp.net gdm-password][14818]: gkr-pam:
unlocked login keyring
All other systems on the domain remained able to log in. No error messages are
visible in the IPA server's journal. Downgrading to sssd-2.7.0-1.fc36.x86_64
resolves the issue and restores the ability to log in. I do not have another
IPA server to test with at the moment, but I did confirm that unenrolling and
reenrolling the host in question (in hopes of replacing any faulty
configuration files written) did not resolve the problem.
Notably, this occurs only for login attempts via password (from TTY or
graphical session). Logging in using SSH with key authentication works. Once
logged in via SSH, I am able to communicate with at least the IPA server's
Kerberos server (e.g. `kinit mheon` works).
Version-Release number of selected component (if applicable):
sssd-2.7.1-1.fc36.x86_64
How reproducible:
100%
Steps to Reproduce:
1. Upgrade to sssd 2.7.1
2. Log out
3. Log into an IPA-managed account
Actual results:
Login fails
Expected results:
Login succeeds
Additional info:
I don't know if this is sssd itself or a subpackage (sssd-ipa seems likely?) -
apologies if this should have been filed elsewhere.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2094948