#3420 kdcproxy + offline caching does not wok in offline mode
Opened 2 years ago by dsommers. Modified 4 months ago

Setup
An IPA enrolled client, configured with kcdproxy in /etc/krb5.conf and having the following entries in /etc/sssd/sssd.conf:

cache_credentials = True
krb5_store_password_if_offline = True

As long as the host is online when logging in, everything works as expected. And the logged in user have a valid kerberos ticket instantly.

But if the host is offline (wlan disabled, no ethernet), the cached credentials are not considered for the authentication and the authentication fails. The gdm interface says "Authentication failed".

Workaround
Disable the kdcproxy in /etc/krb5.conf, and logging in works when being offline. Drawback is that there will be no kerberos ticket available until the host is connected to a network or VPN which enables access to the IPA/KDC server.


Metadata Update from @simo:
- Issue priority set to: critical

2 years ago

Metadata Update from @simo:
- Issue tagged with: regression

2 years ago

I have done some debugging with debug_level = 10. The /var/log/sssd/krb5_child.log is empty while the sssd_nss.log only reports:

 (Thu Jun  1 11:58:30 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

This is appearing quite frequently as long as authentication is attempted while being offline.

The sssd_$DOMAIN.log carries some information, where look-ups seems to happen correctly - while also reporting backend being offline.

There are some more details in the sssd_$DOMAIN.log. A sanitized log from such an incident can be found here: https://paste.sommerseth.cloud/fhd71z36hi3Eoshah7Fiisahcei9iemiegheech4bie3aekahngu7ohv/ ... The raw unmodified log can be provided on request outside of publicly visible channels.

Removing tag regression because there is missing explanation.

Metadata Update from @lslebodn:
- Issue untagged with: regression

2 years ago

@dsommers Please provide info which version of sssd and krb5 is working
And which version of sssd + MIT krb5 do you use(is broken)

BTW interesting part of log file is

(Thu Jun  1 11:59:01 2017) [sssd[be[${DOMAIN}]]] [write_krb5info_file] (0x0100): KDC Proxy available for realm [${REALM}], no kdcinfo file created.
(Thu Jun  1 11:59:01 2017) [sssd[be[${DOMAIN}]]] [sssd_async_socket_init_send] (0x4000): Using file descriptor [32] for the connection.
(Thu Jun  1 11:59:01 2017) [sssd[be[${DOMAIN}]]] [sssd_async_connect_send] (0x0020): connect failed [101][Network is unreachable].

I will let you argue with @simo if this is a regression or not from a technical point of view.

IMHO from a user's perspective, it is a regression as the credential caching works fine without kdcproxy. But with kdcproxy enabled I will not be able to log into my laptop if I'm a place with no network available (like being on an airplane). (Of course, I know how to work around this but my wife won't know how to that and then she just experiences a useless computer). This impacts all authentication, like both login after boot as well as the screensaver.

I am seeing this issue on Scientific Linux 7.3 (RHEL7.3 clone).

$ rpm -q sssd krb5-libs
sssd-1.14.0-43.el7_3.14.x86_64
krb5-libs-1.14.1-27.el7_3.x86_64

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

2 years ago

I am seeing this issue on Scientific Linux 7.3 (RHEL7.3 clone).
$ rpm -q sssd krb5-libs
sssd-1.14.0-43.el7_3.14.x86_64
krb5-libs-1.14.1-27.el7_3.x86_64

And do you know which version of sssd worked for you in past?

And do you know which version of sssd worked for you in past?

No, I don't know that.

All I know is that when I enable kdcproxy, I cannot log into my laptop when it is offline. And when I disable kdcproxy, I can log into the laptop when being offline.

Hi @dsommers sorry this took so long. I wonder if you could test a patch for me if I build you a test package atop sssd-1.14.0-43.el7_3.14.x86_64 ? (or if you're running a different version already, just let me know..)

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

2 years ago

Hi @jhrozek! No worries, I'm just happy this have gotten some attention :)

I'm running Scientific Linux 7.3 (haven't had time to upgrade my box to RHEL yet), which also uses sssd-1.14.0-43.el7_3.14.x86_64 ... so I can definitely test a patched version quite easily! Just let me know here to grab it and I'll report back quickly.

Can you try this repo?

https://copr.fedorainfracloud.org/coprs/jhrozek/sssd-kdcproxy-offline/

Even if the patch doesn't work, could you attach debug logs from this version, please?

I've only managed to do a very quick test (I'm on a holiday out this week) with your new patched builds. I modified my /etc/krb5.conf to only use an https server in the kdc and kpasswd_server fields and with the appropriate CA certificate in http_anchors. I then restarted the sssd daemon with systemctl restart sssd.

With these changes in place, I was able to log in when the laptop was not connected to any network at all, even with an account which have not been used on this laptop for a while. But this testing is too simple. I'll be back at my office next week, where I will have a far better chance to test this in real life - and this is the typical place I hit this issue earlier on. I will update this ticket once I have gained more confidence in this fix.

Another input from today's login. Offline login worked again, but once the network connection was established, there were no kerberos ticket automatically acquired.

Thank you for the testing, looks like there is some progress, but because we really need to release the next upstream tarball quite soon, I'm going to bump this ticket to 1.15.4 (which, despite its size in pagure now [I'm working on triaging and drastically trimming the release], will be a fast turnaround release intented to roll in patches that are on review at the moment)

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.15.3)

2 years ago

I have had some more real-life testing now with the patched version in a few different environments and various conditions. Nothing new and unexpected since last tests. Offline login works very well, but no Kerberos ticket is acquired once the connection is established. If the laptop is online at the time of login, Kerberos ticket is acquired as it normally happens.

Let me know if I can help out testing newer patched versions.

I see that my box now wants to update to sssd-1.14.0-43.el7_3.18 (I have the fastbugs repository enabled by default), so I'll upgrade to that version now.

I'm suffering from the same issue. Is there any updates on this ticket?
This essentially renders the whole feature useless for the corporate use case where roadwarriors need to be able to work without reliable access to the internet.

@akahl, so far I only have the initial patch. It improves things and I can merge it upstream, but it's not a complete solution.

Since we've decided to rename 1.15.4 to 1.16.0 and this ticket does not have a finite resolution, I'm moving the ticket to 1.16.1

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.15.4)

2 years ago

Metadata Update from @jhrozek:
- Issue tagged with: bug, postpone-to-1-16-2

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2 (was: SSSD 1.16.1)

2 years ago

Metadata Update from @jhrozek:
- Issue untagged with: postpone-to-1-16-2

2 years ago

Since we are near the 1.16.2 release and this ticket has no PR yet, it will slip into 1.16.3.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3 (was: SSSD 1.16.2)

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.4 (was: SSSD 1.16.3)

a year ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2 (was: SSSD 1.16.4)

9 months ago

Can you post your WIP patch? That way I might try it on my Ubuntu laptop and give feedback.
Thanks,
Jochen

I found a patch here:
https://copr-be.cloud.fedoraproject.org/results/jhrozek/sssd-kdcproxy-offline/epel-7-x86_64/

1000-KRB5-Only-ignore-offline-notification-when-using-KDC.patch

As described, login works but I don't get a TGT when network comes online.
I'm currently browsing through sssd logs - currently I think that no kerberos is even tried, because krb5_child.log is empty at that time. But sss_<domain>.log sees that we have running servers and even knows we have a KDC proxy. I'll try more digging.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1698558

7 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)

6 months ago

Metadata Update from @jhrozek:
- Assignee reset

4 months ago

Login to comment on this ticket.

Metadata