#3174 Clock skew makes SSSD return System Error
Closed: Fixed None Opened 2 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1373427

Description of problem:
Sometime login via ssh as remote (IPA) user fails with the following error. The
issue appears after machine reboot.

 [sssd[krb5_child[11125]]][11125]: Error constructing AP-REQ armor: Ticket not
yet valid
 [sssd[krb5_child[11125]]][11125]: Error constructing AP-REQ armor: Ticket not
yet valid
 sshd[11123]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=localhost user=amy@ipa.baseos.qe
 sshd[11123]: pam_sss(sshd:auth): received for user amy@ipa.baseos.qe: 4
(System error)
 sshd[11121]: error: PAM: Authentication failure for amy@ipa.baseos.qe from
 sshd[11126]: pam_sepermit(sshd:auth): Parsing config file:
 sshd[11126]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed
on match
 sshd[11126]: pam_sepermit(sshd:auth): sepermit_match returned: -1
 sshd[11121]: Connection closed by [preauth]

The issue does not appear all the time and all test machines.
I'm not sure if it is sssd or other component. Please help to investigate.

Version-Release number of selected component (if applicable):
package krb5 is not installed

How reproducible:
~50% chance on test machines

Steps to Reproduce:
1. join to IPA via realmd
2. ssh works
3. reboot
4. ssh does not work

Actual results:

Expected results:

Additional info:

We already convert some error codes like KRB5_KDCREP_SKEW to ERR_NETWORK_IO, I think we should do the same with KRB5KRB_AP_ERR_TKT_EXPIRED and KRB5KRB_AP_ERR_TKT_NYV.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.2


resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.2

2 years ago

And related ticket for regression introduced by this patch

Metadata Update from @lslebodn:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch adjusted to on (was: 1)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)

2 years ago

Login to comment on this ticket.