#1740 Incorrect principal searched for in keytab
Closed: Fixed None Opened 7 years ago by prefect.

SSSD attempts to use fqdn$@DOMAIN rather than shorthostname$@DOMAIN. This means it fails to find a usable credential on a machine joined to Active Directory, and is looking for a principal that's very unlikely to exist.

Since 4ee7f39, searching for *$ has been removed, so the short form is never found. As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.


Replying to [ticket:1740 prefect]:

Since 4ee7f39, searching for *$ has been removed, so the short form is never found.

This is not entirely correct, the search for *$ has not been removed but rather moved down to the list. I think that makes sense, actually, as the wildcard matches should follow specific matches.

As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.

In particular, this is a result of many keytabs also having host/hostname@REALM, which, as it's a specific match gets matched before the wildcard *$@REALM.

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4
patch: 0 => 1

Is there a way to set ldap_sasl_authid to something automatically on the upgrade to avoid manual changes?

Replying to [comment:5 dpal]:

Is there a way to set ldap_sasl_authid to something automatically on the upgrade to avoid manual changes?

There might be, but it's actually easier to fix the code.

resolution: => fixed
status: assigned => closed

Metadata Update from @prefect:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2782

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata