#3174 Clock skew makes SSSD return System Error
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1373427

Description of problem:
Sometime login via ssh as remote (IPA) user fails with the following error. The
issue appears after machine reboot.

 [sssd[krb5_child[11125]]][11125]: Error constructing AP-REQ armor: Ticket not
yet valid
 [sssd[krb5_child[11125]]][11125]: Error constructing AP-REQ armor: Ticket not
yet valid
 sshd[11123]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=localhost user=amy@ipa.baseos.qe
 sshd[11123]: pam_sss(sshd:auth): received for user amy@ipa.baseos.qe: 4
(System error)
 sshd[11121]: error: PAM: Authentication failure for amy@ipa.baseos.qe from
 sshd[11126]: pam_sepermit(sshd:auth): Parsing config file:
 sshd[11126]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed
on match
 sshd[11126]: pam_sepermit(sshd:auth): sepermit_match returned: -1
 sshd[11121]: Connection closed by [preauth]

The issue does not appear all the time and all test machines.
I'm not sure if it is sssd or other component. Please help to investigate.

Version-Release number of selected component (if applicable):
package krb5 is not installed

How reproducible:
~50% chance on test machines

Steps to Reproduce:
1. join to IPA via realmd
2. ssh works
3. reboot
4. ssh does not work

Actual results:

Expected results:

Additional info:

We already convert some error codes like KRB5_KDCREP_SKEW to ERR_NETWORK_IO, I think we should do the same with KRB5KRB_AP_ERR_TKT_EXPIRED and KRB5KRB_AP_ERR_TKT_NYV.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.2


resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.2

5 years ago

And related ticket for regression introduced by this patch

Metadata Update from @lslebodn:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch adjusted to on (was: 1)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4207

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.