Hi Karl,
Thanks for the detailed report here. This indeed seems like a regression
then.
Would you also mind sharing your workaround here?
** Package changed: openssh (Ubuntu) => sssd (Ubuntu)
** Changed in: sssd (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2072581
Title:
sssd 2.9.4-1 fails to populate krb creds when set to
FILE:/run/user/uid/krb5cc
Status in sssd package in Ubuntu:
Triaged
Bug description:
sssd fails to create and populate the krb5cc cache when set to
default_ccache_name = FILE:/run/user/%{uid}/krb5cc
/var/log/sssd/krb5_child.log shows directory being created and krb5cc
attempting to be populated, but fails.
(2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x3f7c0): [RID#51]
pac_check is set but PAC responder is not running, failed to properly validate
PAC, ignored, authentication for [USER\@REALM@REALM] can proceed.
(2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x0040): [RID#51]
sss_send_pac failed, group membership for user with principal
[USER\@REALM@REALM] might not be correct.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x0400): [RID#51]
krb5_child started.
* (2024-07-09 14:02:17): [krb5_child[3348]] [unpack_buffer] (0x1000):
[RID#51] total buffer size: [155]
* (2024-07-09 14:02:17): [krb5_child[3348]] [unpack_buffer] (0x0100):
[RID#51] cmd [241 (auth)] uid [966406121] gid [966400513] validate [true]
enterprise principal [true] offline [false] UPN [USER@REALM]
* (2024-07-09 14:02:17): [krb5_child[3348]] [unpack_buffer] (0x0100):
[RID#51] ccname: [FILE:/run/user/966406121/krb5cc] old_ccname:
[FILE:/run/user/966406121/krb5cc] keytab: [not set]
* (2024-07-09 14:02:17): [krb5_child[3348]] [check_keytab_name] (0x0400):
[RID#51] Missing krb5_keytab option for domain, looking for default one
* (2024-07-09 14:02:17): [krb5_child[3348]] [check_keytab_name] (0x0400):
[RID#51] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
* (2024-07-09 14:02:17): [krb5_child[3348]] [check_keytab_name] (0x0400):
[RID#51] krb5_child will default to: /etc/krb5.keytab
* (2024-07-09 14:02:17): [krb5_child[3348]] [check_use_fast] (0x0100):
[RID#51] Not using FAST.
* (2024-07-09 14:02:17): [krb5_child[3348]] [old_ccache_valid] (0x0400):
[RID#51] Saved ccache FILE:/run/user/966406121/krb5cc doesn't exist, ignoring
* (2024-07-09 14:02:17): [krb5_child[3348]] [k5c_check_old_ccache]
(0x4000): [RID#51] Ccache_file is [FILE:/run/user/966406121/krb5cc] and is not
active and TGT is not valid.
* (2024-07-09 14:02:17): [krb5_child[3348]] [k5c_precreate_ccache]
(0x4000): [RID#51] Recreating ccache
* (2024-07-09 14:02:17): [krb5_child[3348]] [create_ccache_dir] (0x2000):
[RID#51] Creating directory [/run/user/966406121].
* (2024-07-09 14:02:17): [krb5_child[3348]] [privileged_krb5_setup]
(0x0080): [RID#51] Cannot open the PAC responder socket
* (2024-07-09 14:02:17): [krb5_child[3348]] [become_user] (0x0200):
[RID#51] Trying to become user [966406121][966400513].
* (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x2000): [RID#51]
Running as [966406121][966400513].
* (2024-07-09 14:02:17): [krb5_child[3348]] [set_lifetime_options]
(0x0100): [RID#51] Renewable lifetime is set to [30d]
* (2024-07-09 14:02:17): [krb5_child[3348]] [set_lifetime_options]
(0x0100): [RID#51] Lifetime is set to [24h]
* (2024-07-09 14:02:17): [krb5_child[3348]] [set_canonicalize_option]
(0x0100): [RID#51] Canonicalization is set to [true]
* (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x0400): [RID#51]
Will perform auth
* (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x0400): [RID#51]
Will perform online auth
* (2024-07-09 14:02:17): [krb5_child[3348]] [tgt_req_child] (0x1000):
[RID#51] Attempting to get a TGT
* (2024-07-09 14:02:17): [krb5_child[3348]] [get_and_save_tgt] (0x0400):
[RID#51] Attempting kinit for realm [REALM]
* (2024-07-09 14:02:17): [krb5_child[3348]] [sss_krb5_responder]
(0x4000): [RID#51] Got question [password].
* (2024-07-09 14:02:17): [krb5_child[3348]]
[sss_krb5_expire_callback_func] (0x2000): [RID#51] exp_time: [14591489]
* (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x2000):
[RID#51] Found keytab entry with the realm of the credential.
* (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x0400):
[RID#51] TGT verified using key for [HOST$@REALM].
* (2024-07-09 14:02:17): [krb5_child[3348]] [sss_send_pac] (0x4000):
[RID#51] NSS return code [-1], request return code [111][Connection refused].
* (2024-07-09 14:02:17): [krb5_child[3348]] [sss_send_pac] (0x0080):
[RID#51] failed to contact PAC responder
* (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x0040):
[RID#51] sss_send_pac failed, group membership for user with principal
[USER\@REALM@REALM] might not be correct.
********************** BACKTRACE DUMP ENDS HERE
*********************************
This behavior is not an issue in u22's sssd-2.6.3 and prior
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2072581/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
