#3172 Access denied for user when access_provider = krb5 is set in sssd.conf
Closed: Fixed None Opened 2 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1372753

Created attachment 1197226
SSSD Log file

Description of problem:
This issue was observed during the automated regression rounds on LDAP + KRB
server setup. When access_provider = krb5 is set in sssd.conf, authentication
fails for krb users with following error in /var/log/secure:

pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh
ruser= rhost=localhost user=testuser3
pam_sss(sshd:account): Access denied for user testuser3: 6 (Permission denied)
sshd[30217]: Failed password for testuser3 from ::1 port 43342 ssh2
fatal: Access denied for user testuser3 by PAM account configuration [preauth]

However, user authentication works only when the user is added to .k5login file
within user's home directory, which means we have to first create the file
.k5login and add the user.


Version-Release number of selected component (if applicable):
sssd-1.14.0-30.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup a 389DS LDAP server and KRB server.

2. Add a testuser to LDAP server and add the same user to KRB server. See cmd
below:
 # kadmin.local -q "addprinc -pw Secret123 testuser"

3. Setup a RHEL-7.3 SSSD client system with the following configuration:

SSSD.CONF File
--------------------------------------
[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP-KRB5

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP-KRB5]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://<LDAP_SERVER>
ldap_search_base = dc=example,dc=com
auth_provider = krb5
access_provider = krb5
krb5_server = <KRB_SERVER>
krb5_realm = EXAMPLE.COM

4. Execute user auth. (auth fails)

# ssh -l testuser localhost
testuser@localhost's password:
Connection closed by ::1

5. Create the user's home directory and then create .k5login file within it.

6. Add the user name to it: testuser@EXAMPLE.COM

7. Execute user auth (auth succeeds) and monitor the log files

Actual results:
User authentication fails and works only when .k5login file is created & set
with username in it. Also attached log files for review.

Expected results:
User authentication should work without creating .k5login file and when
access_provider = krb5 is set. This used to work in older RHEL versions.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

master:

milestone: NEEDS_TRIAGE => SSSD 1.14.2
resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.2

2 years ago

Login to comment on this ticket.

Metadata