https://bugzilla.redhat.com/show_bug.cgi?id=1849109
Bug ID: 1849109 Summary: 'System error' on login with domain account after system update (online login only) Product: Fedora Version: 32 Hardware: x86_64 OS: Linux Status: NEW Component: sssd Severity: high Assignee: sssd-maintainers@lists.fedoraproject.org Reporter: vargax@gmail.com QA Contact: extras-qa@fedoraproject.org CC: abokovoy@redhat.com, atikhono@redhat.com, jhrozek@redhat.com, lslebodn@redhat.com, mzidek@redhat.com, pbrezina@redhat.com, rharwood@redhat.com, sbose@redhat.com, ssorce@redhat.com Target Milestone: --- Group: private Classification: Fedora
Created attachment 1698118 --> https://bugzilla.redhat.com/attachment.cgi?id=1698118&action=edit update logs and journalctl output
Description of problem: Online login with a domain account is broken after a full update on a Fedora 32 system joined to an Active Directory domain using realm. Offline login (using cached credentials) works. kinit also works.
Version-Release number of selected component (if applicable):
How reproducible: Allways
Steps to Reproduce: 1. Install Fedora 32 2. Join system to AD domain using realm 3. Login with a domain account > Login works 4. Full update the system 5. Try to login with a domain account > Login Fails > System Error 6. Disconnect network 7. Try to login with domain account > Login works
Actual results: Online login with domain account fails
Expected results: Online login with domain account should works
Additional info: Full update log and journalctl logs attached Steps ran on a vanilla Fedora 32 Workstation VM:
[ws@localhost-live ~]$ sudo su
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
[sudo] password for ws: [root@localhost-live ws]# cd [root@localhost-live ~]# hostnamectl set-hostname --static test-f32-wrks [root@localhost-live ~]# realm join -v --user=cvargasc ad.activarsas.co * Resolving: _ldap._tcp.ad.activarsas.co * Performing LDAP DSE lookup on: 10.11.11.98 * Successfully discovered: ad.activarsas.co Password for cvargasc: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain ad.activarsas.co --domain-realm AD.ACTIVARSAS.CO --domain-controller 10.11.11.98 --login-type user --login-user cvargasc --stdin-password * Using domain name: ad.activarsas.co * Calculated computer account name from fqdn: TEST-F32-WRKS * Using domain realm: ad.activarsas.co * Sending NetLogon ping to domain controller: 10.11.11.98 * Received NetLogon info from: scandelaria.ad.activarsas.co * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-MkTsc9/krb5.d/adcli-krb5-conf-IqiLw8 * Authenticated as user: cvargasc@AD.ACTIVARSAS.CO * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-490755958-958459292-2945111038 * Using fully qualified name: test-f32-wrks * Using domain name: ad.activarsas.co * Using computer account name: TEST-F32-WRKS * Using domain realm: ad.activarsas.co * Calculated computer account name from fqdn: TEST-F32-WRKS * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for TEST-F32-WRKS$ at: CN=TEST-F32-WRKS,CN=Computers,DC=ad,DC=activarsas,DC=co * Sending NetLogon ping to domain controller: 10.11.11.98 * Received NetLogon info from: scandelaria.ad.activarsas.co * Set computer password * Retrieved kvno '3' for computer account in directory: CN=TEST-F32-WRKS,CN=Computers,DC=ad,DC=activarsas,DC=co * Checking host/TEST-F32-WRKS * Added host/TEST-F32-WRKS * Checking RestrictedKrbHost/TEST-F32-WRKS * Added RestrictedKrbHost/TEST-F32-WRKS * Discovered which keytab salt to use * Added the entries to the keytab: TEST-F32-WRKS$@AD.ACTIVARSAS.CO: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/TEST-F32-WRKS@AD.ACTIVARSAS.CO: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/TEST-F32-WRKS@AD.ACTIVARSAS.CO: FILE:/etc/krb5.keytab * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Backup stored at /var/lib/authselect/backups/2020-06-19-15-17-49.nmhfmX Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled and active - systemctl enable --now oddjobd.service
Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service. * Successfully enrolled machine in realm [root@localhost-live ~]# sed -i 's&%u@%d&%u&g' /etc/sssd/sssd.conf [root@localhost-live ~]# sed -i 's&use_fully_qualified_names = True&use_fully_qualified_names = False&g' /etc/sssd/sssd.conf [root@localhost-live ~]# cat >> /etc/sssd/sssd.conf <<EOF
auto_private_groups = true EOF
[root@localhost-live ~]# systemctl restart sssd.service [root@localhost-live ~]# echo "%domain\ admins ALL=(ALL) ALL" > /etc/sudoers.d/domain-admins [root@localhost-live ~]# exit exit
[ws@localhost-live ~]$ su cvargasc Password: [cvargasc@test-f32-wrks ws]$ cd [cvargasc@test-f32-wrks ~]$ sudo dnf update
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
[sudo] password for cvargasc:
(...full update log attached...)
Complete! [cvargasc@test-f32-wrks ~]$ exit exit [ws@localhost-live ~]$ su cvargasc Password: su: System error [ws@localhost-live ~]$ nmcli connection down Wired\ connection\ 1 Connection 'Wired connection 1' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) [ws@localhost-live ~]$ su cvargasc Password: [cvargasc@test-f32-wrks ws]$ exit [ws@localhost-live ~]$ nmcli connection up Wired\ connection\ 1 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) [ws@localhost-live ~]$ su lpguerreroj Password: su: System error [ws@localhost-live ~]$ nmcli connection down Wired\ connection\ 1 Connection 'Wired connection 1' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) [ws@localhost-live ~]$ su lpguerreroj Password: [lpguerreroj@test-f32-wrks ws]$
https://bugzilla.redhat.com/show_bug.cgi?id=1849109
Alexey Tikhonov atikhono@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Doc Type|--- |If docs needed, set a value Flags| |needinfo?(vargax@gmail.com)
--- Comment #1 from Alexey Tikhonov atikhono@redhat.com --- ``` Jun 19 11:17:50 test-f32-wrks realmd[2754]: * Successfully enrolled machine in realm ... Jun 19 11:17:57 test-f32-wrks sssd[2957]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. ``` -- this starts after `realmd` finished enrollment.
Could you please set "debug_level=9" in domain section of sssd.conf and attach resulting log of failed auth attempt?
https://bugzilla.redhat.com/show_bug.cgi?id=1849109
--- Comment #2 from Alexey Tikhonov atikhono@redhat.com --- But I guess auth fails because DNS record wasn't updated (see quoted error).
https://bugzilla.redhat.com/show_bug.cgi?id=1849109
Camilo Vargas vargax@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(vargax@gmail.com) |
--- Comment #3 from Camilo Vargas vargax@gmail.com --- Created attachment 1698135 --> https://bugzilla.redhat.com/attachment.cgi?id=1698135&action=edit Requested logs
Hi Alexey,
Please find attached the requested logs.
This config works on a fully-updated Fedora 31 and on a vanilla Fedora 32 (before updates). I have seen those GSSAPI errors on the logs before (since Fedora 30 and Ubuntu 18.04) but they have never affected authentication.
Thanks,
CVC
https://bugzilla.redhat.com/show_bug.cgi?id=1849109
Alexey Tikhonov atikhono@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |DUPLICATE Last Closed| |2020-06-19 18:22:23
--- Comment #4 from Alexey Tikhonov atikhono@redhat.com --- Thank you for the log. You're right, those "GSSAPI errors" doesn't seem to be relevant.
GPO access checks fails for the user "lpguerreroj": ``` [be[ad.activarsas.co]] [ad_gpo_sd_process_attrs] (0x4000): smb_path: /ad.activarsas.co/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} [be[ad.activarsas.co]] [ad_gpo_sd_process_attrs] (0x4000): gpo_func_version: 2 [be[ad.activarsas.co]] [ad_gpo_sd_process_attrs] (0x4000): gpo_flags: 0 [be[ad.activarsas.co]] [ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor [be[ad.activarsas.co]] [ad_gpo_sd_process_attrs] (0x0040): ad_gpo_parse_sd() failed [be[ad.activarsas.co]] [sdap_id_op_done] (0x4000): releasing operation connection [be[ad.activarsas.co]] [ad_gpo_process_gpo_done] (0x0040): Unable to get GPO list: [22](Invalid argument) [be[ad.activarsas.co]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. ```
I believe this is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1840908#c0
*** This bug has been marked as a duplicate of bug 1840908 ***
sssd-maintainers@lists.fedoraproject.org