#3329 Wrong principal found with ad provider and long host name

Created 5 months ago by lslebodn
Modified 4 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1431858

Description of problem:
sssd tries to find most suitable principal from keytab. We need to use UPN with
AD provider and it should be maximally 15 upper case letters from hostname

e.g.
hostname =  kvm-02-guest20kvm-02-guest20.sssd.com@SSSDAD.COM
UPN = KVM-02-GUEST20K$@SSSDAD.COM

Version-Release number of selected component (if applicable):
sh$ rpm -q sssd
sssd-1.14.0-43.el7_3.11.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. set hostname longer then 15 characters
2. join sssd to ad domain
3. start sssd
4. try to resolve some users

Actual results:
Users are not resolved

Expected results:
Users are resolved.

Additional info:
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [ad_set_sdap_options]
(0x0100): Option krb5_realm set to SSSDAD.COM
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options]
(0x0100): Will look for kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM in
default keytab
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]]
[select_principal_from_keytab] (0x0200): trying to select the most appropriate
principal from keytab
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab]
(0x4000): Trying to find principal
kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab]
(0x0400): No principal matching
kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM found in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab]
(0x4000): Trying to find principal KVM-02-GUEST20KVM-02-GUEST20$@SSSDAD.COM in
keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab]
(0x0400): No principal matching KVM-02-GUEST20KVM-02-GUEST20$@SSSDAD.COM found
in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab]
(0x4000): Trying to find principal
host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [match_principal] (0x1000):
Principal matched to the sample
(host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM).
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]]
[select_principal_from_keytab] (0x0200): Selected primary:
host/kvm-02-guest20kvm-02-guest20.sssdad.com
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]]
[select_principal_from_keytab] (0x0200): Selected realm: SSSDAD.COM
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options]
(0x0100): Option ldap_sasl_authid set to
host/kvm-02-guest20kvm-02-guest20.sssdad.com
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options]
(0x0100): Option ldap_sasl_realm set to SSSDAD.COM

sh# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:58
host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
host/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K@SSSDAD.COM
   2 03/13/2017 17:18:58
RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
   2 03/13/2017 17:18:58
RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com@SSSDAD.COM
5 months ago

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1431858

5 months ago

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1431858

5 months ago

Metadata Update from @lslebodn:
- Custom field patch adjusted to on
- Custom field version adjusted to 1.10.0
- Issue set to the milestone: None

5 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

5 months ago

Metadata Update from @jhrozek:
- Issue priority set to: blocker

master:

  • c6f1bc32774a7cf2f8678499dfbced420be3a3a1

sssd-1-14:

  • fee7386e3af5e55eb3c66d8cf3533075b977a734

sssd-1-13:

  • 56ca9ad3d7ec7da2e82b51ffc55f6d1367d14f34
4 months ago

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.

1.10.0

on

https://bugzilla.redhat.com/show_bug.cgi?id=1431858

cancel