sssd 1.16.2-13 breaks authentication

[Sheepykins]

Hallo

hoping one or more of you excellent people can help.

We have an SSSD config that authenticates against a 2008 AD server using LDAP and Kerberos. The machines dont quite get joined to the domain but an object is created in AD.

Going from 7.1 up to 7.5 just using the latest release packages works fine, but as soon as we moved to 7.6, the sssd config just stopped working for us.

Its an odd one, doing an id username, results in a just a basic group for my username and no others (but doing a getent on the group, shows my username and everyone else in it) and the SSSD journalctl shows "cannot contact any KPCs".

We tried removing some of the OUs in our ldap_group_search_base and it does resolve my id with some groups.

Wondering if anyone else had any issues with this release? I KNOW the changelog says some authentication methods have been a little naff recently, (gssapi)

[Haystack]

Hi, I've just come to these forums because I'm having problems with sssd too. I was going to make a thread then I saw yours and figured it could be a related issue.
I'm running a FreeIPA server on a Centos 7 VM (KVM) and I'm unable to get ldap authentication to work. I can login as the LDAP users on the IPA server machine, but I can't for the life of me get it to work on any other machine. I've followed the official guide on how to set up clients with sssd and nss-pam-ldapd and nothing works. Even setting it up using ipa-client-install doesn't work.
I feel like something must have changed because I used to have things set up exactly the same way (except I'm not using integrated DNS, that's all handled by dnsmasq on my router now) and I wrote down in my notes exactly how I did it.
The specific error I'm getting is:

Code: Select all

[haystack@host1 ~]$ su - testuser
Password:
su: Authentication failure

journalctl -xeb:

Code: Select all

Feb 12 11:43:39 host1 su[30386]: pam_sss(su-l:auth): authentication failure; logname=haystack uid=1000 euid=0 tty=pts/1 ruser=haystack rhost= user=testuser
Feb 12 11:43:39 host1 su[30386]: pam_sss(su-l:auth): received for user testuser: 7 (Authentication failure)
Feb 12 11:43:41 host1 su[30386]: FAILED SU (to testuser) haystack on pts/1

I can't manage to get any more helpful errors out of it than that.. not very useful

[Sheepykins]

@haystack

Whats your /var/log/sss logs say? You can turn debugging up in the sssd.conf.

As for my issue - previous releases of SSSD worked with my config, now this one doesnt!

[Haystack]

In sssd_pam.log:

Code: Select all

(Tue Feb 12 12:53:27 2019) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [testuser] removed from PAM initgroup cache

In sssd_nss.log:

Code: Select all

(Tue Feb 12 13:02:19 2019) [sssd[pam]] [cache_req_search_send] (0x0400): CR #7: Returning [testuser@example.lan] from cache
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [cache_req_search_ncache_filter] (0x0400): CR #7: This request type does not support filtering result by negative cache
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [cache_req_create_and_add_result] (0x0400): CR #7: Found 2 entries in domain example.lan
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [cache_req_done] (0x0400): CR #7: Finished: Success
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is testuser@example.lan
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [testuser] added to PAM initgroup cache
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: example.lan
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): user: testuser@example.lan
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): service: su-l
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: haystack
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 4473
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name: testuser
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x55c5b3455cd0
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x55c5b3455cd0
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x55c5b34540b0
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Feb 12 13:02:19 2019) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [7 (Authentication failure)][example.lan]

Code: Select all

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_process_input] (0x0400): CR #0: Parsing input name [testuser]
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser' matched wi
thout domain, user is testuser
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_set_name] (0x0400): CR #0: Setting name [testuser]
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #0: Performing a multi-do
main search
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #0: Search will check the
 cache and check the data provider
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-onl
y for domain example.lan type POSIX is valid
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #0: Using domain [example.lan
]
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input
data for domain [example.lan] rules
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #0: Looking up testuser@example.lan
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cach
e for [testuser@example.lan]
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE
/USER/example.lan/testuser@example.lan]
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: [testuser@example.lan]
 is not present in negative cache
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Looking up [testuser@ex
ample.lan] in cache
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55a32da2f740

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55a32da2f800

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Running timer event 0x55a32da2f740 "ltdb_callback
"

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55a32da2f800 "ltdb_timeo
ut"

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x55a32da2f740 "ltdb_callback"

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55a32da2af50

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55a32da2f510

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Running timer event 0x55a32da2af50 "ltdb_callback
"

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55a32da2f510 "ltdb_timeo
ut"

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x55a32da2af50 "ltdb_callback"

(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #0: Returning [testuser@example.lan] from cache
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #0: This request ty
pe does not support filtering result by negative cache
(Tue Feb 12 12:55:41 2019) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #0: Found 1 entrie
s in domain example.lan

[Haystack]

Is there an easy way to downgrade to an older version of sssd on centos for testing purposes?

Edit: Actually I just checked the version of sssd on one of my clients (they're all on different distros) and it's on sssd version 1.11.7 so I don't think it's an update to sssd that's done it for me :-/ Guess I should make a new thread

[Sheepykins]

Is there an easy way to downgrade to an older version of sssd on centos for testing purposes?

Edit: Actually I just checked the version of sssd on one of my clients (they're all on different distros) and it's on sssd version 1.11.7 so I don't think it's an update to sssd that's done it for me :-/ Guess I should make a new thread

Ah, well not for my issue as the latest SSSD package is a dependency for other things i have installed on C7.6.

[Haystack]

Actually I won't even need to create another thread. It turns out the only reason it wasn't working is because I wasn't using the FreeIPA server for DNS... it's a pain that I can't get it to work without doing that but oh well. Good luck with your issue and sorry for clogging up your thread!