Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=878262 (Red Hat Enterprise Linux 6)
Description of problem: AD Trusted users where the full user@domain UPN is short than the IPA Realm name cannot ssh into IPA clients with password authentication. [root@storm log]# kinit r2a1@ADLAB.QE Password for r2a1@ADLAB.QE: [root@storm log]# ssh -K -l r2a1@adlab.qe $(hostname) Creating home directory for r2a1@adlab.qe. -sh-4.1$ exit logout Connection to storm.ipa3.example.com closed. [root@storm log]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: r2a1@ADLAB.QE Valid starting Expires Service principal 11/19/12 13:40:03 11/19/12 23:40:26 krbtgt/ADLAB.QE@ADLAB.QE renew until 11/20/12 13:40:03 11/19/12 13:40:42 11/19/12 23:40:26 krbtgt/IPA3.EXAMPLE.COM@ADLAB.QE renew until 11/20/12 13:40:03 11/19/12 13:40:25 11/19/12 23:40:26 host/storm.ipa3.example.com@IPA3.EXAMPLE.COM renew until 11/20/12 13:40:03 [root@storm log]# kdestroy [root@storm log]# ssh -l r2a1@adlab.qe $(hostname) r2a1@adlab.qe@storm.ipa3.example.com's password: Permission denied, please try again. r2a1@adlab.qe@storm.ipa3.example.com's password: Permission denied, please try again. r2a1@adlab.qe@storm.ipa3.example.com's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). ^^^ the last attempt here, I also typed in another window and cut and pasted just to make certain I didn't have a typo. [root@storm log]# kinit r2a1@ADLAB.QE Password for r2a1@ADLAB.QE: ^^^ cut and paste here from same buffer to make sure I had it right. [root@storm log]# date Mon Nov 19 13:41:45 EST 2012 /var/log/secure: Nov 19 13:41:29 storm sshd[31308]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=storm.ipa3.example.com user=r2a1@adlab.qe Nov 19 13:41:29 storm sshd[31308]: pam_sss(sshd:auth): received for user r2a1@adlab.qe: 4 (System error) Nov 19 13:41:31 storm sshd[31308]: Failed password for r2a1@adlab.qe from 10.16.96.68 port 35721 ssh2 Nov 19 13:41:31 storm sshd[31309]: Connection closed by 10.16.96.68 Nov 19 13:41:31 storm sshd[31308]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=storm.ipa3.example.com user=r2a1@adlab.qe /var/log/sssd/sssd_ipa1.example.com.log: (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 25A7DE0 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=r2a1] (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 25A7DE0 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): domain: adlab.qe (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): user: r2a1 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): service: sshd (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): ruser: (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): rhost: storm.ipa3.example.com (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): authtok size: 10 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [pam_print_data] (0x0100): cli_pid: 31308 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x25c88d0 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x25e6aa0 (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000): Destroying timer event 0x25e6aa0 "ltdb_timeout" (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ldb] (0x4000): Ending timer event 0x25c88d0 "ltdb_callback" (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [krb5_get_simple_upn] (0x4000): Using simple UPN [r2a1@ADLAB.QE]. (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [krb5_auth_send] (0x0040): compare_principal_realm failed. (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed. (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][adlab.qe] (Mon Nov 19 13:41:29 2012) [sssd[be[ipa3.example.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][adlab.qe] Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Setup IPA server with longer realm name like ipa1.example.com 2. Setup AD server with shorter realm domain/realm name like ad.test 3. Add AD User user@ad.test 4. ssh -l user@ad.test <IPA server> Actual results: Fails like above Expected results: ssh in per norm. Additional info:
Fields changed
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => milestone: NEEDS_TRIAGE => SSSD 1.9.3 owner: somebody => sbose testsupdated: => 0
Fixed in master: - ba098f8 and sssd-1-9: - cfed272
resolution: => fixed status: new => closed
Metadata Update from @pbrezina: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.9.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2700
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.