#3188 krb5_map_user doesn't seem effective anymore
Closed: Fixed None Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1375552

Created attachment 1200475
sssd realm log

Description of problem:
Since a few days, it seems that the setting `krb5_map_user` on
`/etc/sssd/sssd.conf` is not taking effect. I have this property set to
`jpkroehling:jcosta`, so that my local user `jpkroehling` is translated to
`jcosta` on a given Kerberos realm. It used to work, but now, I see the
following on the logs:

Sep 13 13:37:56 carambola [sssd[krb5_child[15539]]][15539]: Client
'jpkroehling@REDHAT.COM' not found in Kerberos database


Version-Release number of selected component (if applicable):
1.14.1 , release 2.fc24

How reproducible:
Always

Steps to Reproduce:
I basically followed the instructions on [1] to get an automatic kinit whenever
I login.

[1] https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-callin
g-kinit-with-sssds-help/

Actual results:
There's no valid Kerberos ticket, as it tries to get one for the user
`jpkroehling`.

Expected results:
A Kerberos ticket would have been obtained for `jcosta`.

Additional info:
From IRC:

<lslebodn> jpkroehling: Could you file a fedora BZ + provide log files with
debug_level=9
<lslebodn> I assume that bug is caused by sysdb refactoring wich was done in
1.14

A possible workaround is to downgrade sssd:
dnf downgrade sssd-krb5 sssd sssd-krb5-common python3-sssdconfig sssd-ad
sssd-krb5-common sssd-ipa sssd-ldap sssd-proxy sssd-common-pac libipa_hbac
sssd-common libsss_autofs libsss_idmap libsss_sudo sssd-client

Another regression caused by the FQDNs in sysdb..

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Actually somebody can fix this. The problem is that the get_krb_primary compares a short name from the config with a qualified name from the provider. Since this feature works with only the primary domain, we can probably qualify all the names when loading them.

owner: jhrozek => somebody
status: assigned => new

Fields changed

owner: somebody => pcech
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.2

master:

resolution: => fixed
status: assigned => closed
version: => 1.14.0

Metadata Update from @jhrozek:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.14.2

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4221

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata