#1740 Incorrect principal searched for in keytab
Closed: Fixed None Opened 6 years ago by prefect.

SSSD attempts to use fqdn$@DOMAIN rather than shorthostname$@DOMAIN. This means it fails to find a usable credential on a machine joined to Active Directory, and is looking for a principal that's very unlikely to exist.

Since 4ee7f39, searching for *$ has been removed, so the short form is never found. As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.


Replying to [ticket:1740 prefect]:

Since 4ee7f39, searching for *$ has been removed, so the short form is never found.

This is not entirely correct, the search for *$ has not been removed but rather moved down to the list. I think that makes sense, actually, as the wildcard matches should follow specific matches.

As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.

In particular, this is a result of many keytabs also having host/hostname@REALM, which, as it's a specific match gets matched before the wildcard *$@REALM.

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4
patch: 0 => 1

Is there a way to set ldap_sasl_authid to something automatically on the upgrade to avoid manual changes?

Replying to [comment:5 dpal]:

Is there a way to set ldap_sasl_authid to something automatically on the upgrade to avoid manual changes?

There might be, but it's actually easier to fix the code.

resolution: => fixed
status: assigned => closed

Metadata Update from @prefect:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.

Metadata