Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1372753
Created attachment 1197226
SSSD Log file
Description of problem:
This issue was observed during the automated regression rounds on LDAP + KRB
server setup. When access_provider = krb5 is set in sssd.conf, authentication
fails for krb users with following error in /var/log/secure:
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh
ruser= rhost=localhost user=testuser3
pam_sss(sshd:account): Access denied for user testuser3: 6 (Permission denied)
sshd: Failed password for testuser3 from ::1 port 43342 ssh2
fatal: Access denied for user testuser3 by PAM account configuration [preauth]
However, user authentication works only when the user is added to .k5login file
within user's home directory, which means we have to first create the file
.k5login and add the user.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup a 389DS LDAP server and KRB server.
2. Add a testuser to LDAP server and add the same user to KRB server. See cmd
# kadmin.local -q "addprinc -pw Secret123 testuser"
3. Setup a RHEL-7.3 SSSD client system with the following configuration:
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP-KRB5
filter_groups = root
filter_users = root
debug_level = 9
id_provider = ldap
ldap_uri = ldap://<LDAP_SERVER>
ldap_search_base = dc=example,dc=com
auth_provider = krb5
access_provider = krb5
krb5_server = <KRB_SERVER>
krb5_realm = EXAMPLE.COM
4. Execute user auth. (auth fails)
# ssh -l testuser localhost
Connection closed by ::1
5. Create the user's home directory and then create .k5login file within it.
6. Add the user name to it: testuser@EXAMPLE.COM
7. Execute user auth (auth succeeds) and monitor the log files
User authentication fails and works only when .k5login file is created & set
with username in it. Also attached log files for review.
User authentication should work without creating .k5login file and when
access_provider = krb5 is set. This used to work in older RHEL versions.
design_review: => 0
mark: no => 0
owner: somebody => jhrozek
review: True => 0
status: new => assigned
testsupdated: => 0
milestone: NEEDS_TRIAGE => SSSD 1.14.2
resolution: => fixed
status: assigned => closed
Metadata Update from @lslebodn:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.2
to comment on this ticket.