Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1372753
Created attachment 1197226 SSSD Log file Description of problem: This issue was observed during the automated regression rounds on LDAP + KRB server setup. When access_provider = krb5 is set in sssd.conf, authentication fails for krb users with following error in /var/log/secure: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=testuser3 pam_sss(sshd:account): Access denied for user testuser3: 6 (Permission denied) sshd[30217]: Failed password for testuser3 from ::1 port 43342 ssh2 fatal: Access denied for user testuser3 by PAM account configuration [preauth] However, user authentication works only when the user is added to .k5login file within user's home directory, which means we have to first create the file .k5login and add the user. Version-Release number of selected component (if applicable): sssd-1.14.0-30.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup a 389DS LDAP server and KRB server. 2. Add a testuser to LDAP server and add the same user to KRB server. See cmd below: # kadmin.local -q "addprinc -pw Secret123 testuser" 3. Setup a RHEL-7.3 SSSD client system with the following configuration: SSSD.CONF File -------------------------------------- [sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam domains = LDAP-KRB5 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP-KRB5] debug_level = 9 id_provider = ldap ldap_uri = ldap://<LDAP_SERVER> ldap_search_base = dc=example,dc=com auth_provider = krb5 access_provider = krb5 krb5_server = <KRB_SERVER> krb5_realm = EXAMPLE.COM 4. Execute user auth. (auth fails) # ssh -l testuser localhost testuser@localhost's password: Connection closed by ::1 5. Create the user's home directory and then create .k5login file within it. 6. Add the user name to it: testuser@EXAMPLE.COM 7. Execute user auth (auth succeeds) and monitor the log files Actual results: User authentication fails and works only when .k5login file is created & set with username in it. Also attached log files for review. Expected results: User authentication should work without creating .k5login file and when access_provider = krb5 is set. This used to work in older RHEL versions. Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => jhrozek review: True => 0 selected: => status: new => assigned testsupdated: => 0
master:
milestone: NEEDS_TRIAGE => SSSD 1.14.2 resolution: => fixed status: assigned => closed
Metadata Update from @lslebodn: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.14.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4205
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.