#3188 krb5_map_user doesn't seem effective anymore
Closed: Fixed None Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1375552

Created attachment 1200475
sssd realm log

Description of problem:
Since a few days, it seems that the setting `krb5_map_user` on
`/etc/sssd/sssd.conf` is not taking effect. I have this property set to
`jpkroehling:jcosta`, so that my local user `jpkroehling` is translated to
`jcosta` on a given Kerberos realm. It used to work, but now, I see the
following on the logs:

Sep 13 13:37:56 carambola [sssd[krb5_child[15539]]][15539]: Client
'jpkroehling@REDHAT.COM' not found in Kerberos database


Version-Release number of selected component (if applicable):
1.14.1 , release 2.fc24

How reproducible:
Always

Steps to Reproduce:
I basically followed the instructions on [1] to get an automatic kinit whenever
I login.

[1] https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-callin
g-kinit-with-sssds-help/

Actual results:
There's no valid Kerberos ticket, as it tries to get one for the user
`jpkroehling`.

Expected results:
A Kerberos ticket would have been obtained for `jcosta`.

Additional info:
From IRC:

<lslebodn> jpkroehling: Could you file a fedora BZ + provide log files with
debug_level=9
<lslebodn> I assume that bug is caused by sysdb refactoring wich was done in
1.14

A possible workaround is to downgrade sssd:
dnf downgrade sssd-krb5 sssd sssd-krb5-common python3-sssdconfig sssd-ad
sssd-krb5-common sssd-ipa sssd-ldap sssd-proxy sssd-common-pac libipa_hbac
sssd-common libsss_autofs libsss_idmap libsss_sudo sssd-client

Another regression caused by the FQDNs in sysdb..

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Actually somebody can fix this. The problem is that the get_krb_primary compares a short name from the config with a qualified name from the provider. Since this feature works with only the primary domain, we can probably qualify all the names when loading them.

owner: jhrozek => somebody
status: assigned => new

Fields changed

owner: somebody => pcech
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.2

master:

resolution: => fixed
status: assigned => closed
version: => 1.14.0

Metadata Update from @jhrozek:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.14.2

2 years ago

Login to comment on this ticket.

Metadata