Public bug reported: I try to log in using sssd with AD authentication. It fails. When I remove the first key from the keytab, logging in succeeds. Restoring the previous keytab brings the failure back.
Hence, I believe the closing of https://fedorahosted.org/sssd/ticket/1871#comment:2 to be wrong. (But I use Trusty, with sssd-*-1.11.3-1, so I'm not sure whether to report here or at Fedora.) Additional circumstantial evidence: The offending first key in the keytab belongs to a principal - let's call it 'ADJoiner' - used solely for the purpose of joining the machine to the AD domain (which was done using msktutil). The AD admins here say they deliberately reduced the access rights of ADJoiner. So from Linux perspective, this principal behaves a bit oddly: I can kgetcred a ticket for many principals in the same realm, but I cannot kgetcred a ticket for ADJoiner. I *can* kinit ADJoiner though. I believe the cause of the problem to be in src/providers/krb5/krb5_child.c in the loop immediately following the comment: /* We look for the first entry from our realm or take the last one */ Indeed, if I make that loop skip the first key found (diff below), everything works as expected, whether the ADJoiner key is in the keytab or not. This is an ad-hoc fix for my case of course. I think *all* keys from the keytab should be tried. But sssd obviously intends not to. *** src/providers/krb5/krb5_child.c.old 2014-01-30 15:48:15.197154787 +0100 --- src/providers/krb5/krb5_child.c 2014-01-30 15:26:02.729103935 +0100 *************** *** 703,706 **** --- 703,707 ---- krb5_ccache validation_ccache = NULL; krb5_authdata **pac_authdata = NULL; + int skip = 0; memset(&keytab, 0, sizeof(keytab)); *************** *** 741,750 **** if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) { ! { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); realm_entry_found = true; break; ! } } --- 742,757 ---- if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) { ! if (skip == 0) ! { ! skip++; ! } ! else ! { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); realm_entry_found = true; break; ! } ! } } ** Affects: sssd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1274543 Title: sssd-ad uses wrong key to verify tgt at login time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1274543/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
