#1658 ipa password auth failing for user principal name when shorter than IPA Realm name
Closed: Fixed None Opened 7 years ago by pbrezina.

https://bugzilla.redhat.com/show_bug.cgi?id=878262 (Red Hat Enterprise Linux 6)

Description of problem:

AD Trusted users where the full user@domain UPN is short than the IPA Realm
name cannot ssh into IPA clients with password authentication.


[root@storm log]# kinit r2a1@ADLAB.QE
Password for r2a1@ADLAB.QE:
[root@storm log]# ssh -K -l r2a1@adlab.qe $(hostname)
Creating home directory for r2a1@adlab.qe.

-sh-4.1$ exit
logout
Connection to storm.ipa3.example.com closed.

[root@storm log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r2a1@ADLAB.QE

Valid starting     Expires            Service principal
11/19/12 13:40:03  11/19/12 23:40:26  krbtgt/ADLAB.QE@ADLAB.QE
        renew until 11/20/12 13:40:03
11/19/12 13:40:42  11/19/12 23:40:26  krbtgt/IPA3.EXAMPLE.COM@ADLAB.QE
        renew until 11/20/12 13:40:03
11/19/12 13:40:25  11/19/12 23:40:26
host/storm.ipa3.example.com@IPA3.EXAMPLE.COM
        renew until 11/20/12 13:40:03

[root@storm log]# kdestroy

[root@storm log]# ssh -l r2a1@adlab.qe $(hostname)
r2a1@adlab.qe@storm.ipa3.example.com's password:
Permission denied, please try again.
r2a1@adlab.qe@storm.ipa3.example.com's password:
Permission denied, please try again.
r2a1@adlab.qe@storm.ipa3.example.com's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

^^^ the last attempt here, I also typed in another window and cut and pasted
just to make certain I didn't have  a typo.

[root@storm log]# kinit r2a1@ADLAB.QE
Password for r2a1@ADLAB.QE:

^^^ cut and paste here from same buffer to make sure I had it right.

[root@storm log]# date
Mon Nov 19 13:41:45 EST 2012


/var/log/secure:

Nov 19 13:41:29 storm sshd[31308]: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=storm.ipa3.example.com
user=r2a1@adlab.qe
Nov 19 13:41:29 storm sshd[31308]: pam_sss(sshd:auth): received for user
r2a1@adlab.qe: 4 (System error)
Nov 19 13:41:31 storm sshd[31308]: Failed password for r2a1@adlab.qe from
10.16.96.68 port 35721 ssh2
Nov 19 13:41:31 storm sshd[31309]: Connection closed by 10.16.96.68
Nov 19 13:41:31 storm sshd[31308]: PAM 2 more authentication failures; logname=
uid=0 euid=0 tty=ssh ruser= rhost=storm.ipa3.example.com  user=r2a1@adlab.qe


/var/log/sssd/sssd_ipa1.example.com.log:
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch]
(0x4000): dbus conn: 25A7DE0
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch]
(0x4000): Dispatching.
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=r2a1]
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]]
[ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not
handled by the IPA provider but are resolved by the responder directly from the
 cache.
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,User lookup failed
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch]
(0x4000): dbus conn: 25A7DE0
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch]
(0x4000): Dispatching.
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [pamHandler]
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [be_pam_handler]
(0x0100): Got request with the following data
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): domain: adlab.qe
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): user: r2a1
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): service: sshd
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): tty: ssh
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): ruser:
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): rhost: storm.ipa3.example.com
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): authtok type: 1
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): authtok size: 10
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): newauthtok size: 0
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): priv: 1
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data]
(0x0100): cli_pid: 31308
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x25c88d0

(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x25e6aa0

(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000):
Destroying timer event 0x25e6aa0 "ltdb_timeout"

(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000): Ending
timer event 0x25c88d0 "ltdb_callback"

(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [krb5_get_simple_upn]
(0x4000): Using simple UPN [r2a1@ADLAB.QE].
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [krb5_auth_send]
(0x0040): compare_principal_realm failed.
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ipa_auth_handler_done]
(0x0040): krb5_auth_recv request failed.
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]]
[be_pam_handler_callback] (0x0100): Sending result [4][adlab.qe]
(Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]]
[be_pam_handler_callback] (0x0100): Sent result [4][adlab.qe]


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.   Setup IPA server with longer realm name like ipa1.example.com
2.   Setup AD server with shorter realm domain/realm name like ad.test
3.   Add AD User user@ad.test
4.   ssh -l user@ad.test <IPA server>

Actual results:
Fails like above


Expected results:
ssh in per norm.


Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.3
owner: somebody => sbose
testsupdated: => 0

Fixed in master:
- ba098f8
and sssd-1-9:
- cfed272

resolution: => fixed
status: new => closed

Metadata Update from @pbrezina:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2700

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata