[sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) #6600

sumit-bose · 2023-03-02T12:47:03Z

Greetings,

I've recently had two cases with the issue below after upgrading to sssd-2.6.2-4.el8_6.x86_64 and would like to know if that's a bug or a feature that we should create a KCS for:

[*] Description of problem:

Authentication is failing after updating sssd pkg.ver to sssd-2.6.2-4.el8_6.x86_64 if client with configured (child) domain cannot speak to forest root:

Child domain (configured): child.root.example.com
Root domain: (not configured): root.example.com

============================
[be[child.root.example.com]] [be_resolve_server_process] (0x0200): Found address for server MSDC01.child.root.example.com: [10.0.0.10] TTL 1200
[be[child.root.example.com]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
-- snip --
[be[child.root.example.com]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSS-SPNEGO, user: CL01$
[be[child.root.example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
[be[child.root.example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
[be[child.root.example.com]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for realm 'root.example.com')
[be[child.root.example.com]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
[be[child.root.example.com]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for realm 'root.example.com')]
[be[child.root.example.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed
..
[be[child.root.example.com]] [fo_set_port_status] (0x0100): Marking port 389 of server 'MSDC01.child.root.example.com' as 'not working'
============================

Domain controllers are marked as 'not working' if they cannot pass the sasl_bind to forest root, although domains are still marked as Active.

[*] Version-Release number of selected component (if applicable):

2.6.2-4.el8_6.x86_64

[*] How reproducible:
Always - after updating sssd and if the conditions apply

[*] Additional info:

============================
[be[child.root.example.com]] [ad_domain_info_netlogon_done] (0x0400): [RID#1] Found flat name [CHILD].
[be[child.root.example.com]] [ad_domain_info_netlogon_done] (0x0400): [RID#1] Found site [SITE01].
[be[child.root.example.com]] [ad_domain_info_netlogon_done] (0x0400): [RID#1] Found forest [root.example.com].
============================

Issue is solved after configuring:

-------------------------------------------
[domain/child.root.example.com]
ad_enabled_domains = child.root.example.com
-------------------------------------------

Kind regards,

The text was updated successfully, but these errors were encountered:

sumit-bose · 2023-03-02T12:47:04Z

Bugzilla Bugs:

So far only discovered sub-domains were adding to the [domain_realm] section of one of the krb5 config snippets SSSD is generating. To fix recent issues which were caused my missing entries of the joined domain this domain is now added as well. Resolves: SSSD#6600

So far only discovered sub-domains were adding to the [domain_realm] section of one of the krb5 config snippets SSSD is generating. To fix recent issues which were caused my missing entries of the joined domain this domain is now added as well. Resolves: #6600 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit ebc1e46)

alexey-tikhonov · 2023-04-19T13:43:03Z

Pushed PR: #6604

master
- ebc1e46 - krb5: add joined/parent domain to [domain_realm]
sssd-2-7
- 28ca00b - krb5: add joined/parent domain to [domain_realm]
sssd-2-8
- 02068a0 - krb5: add joined/parent domain to [domain_realm]

sumit-bose self-assigned this Mar 2, 2023

alexey-tikhonov added the Bugzilla label Mar 2, 2023

sumit-bose mentioned this issue Mar 2, 2023

krb5: add joined/parent domain to [domain_realm] #6604

Closed

alexey-tikhonov closed this as completed in ebc1e46 Apr 19, 2023

alexey-tikhonov added the Closed: Fixed Issue was closed as fixed. label Apr 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) #6600

[sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) #6600

sumit-bose commented Mar 2, 2023 •

edited

Loading

sumit-bose commented Mar 2, 2023 •

edited by alexey-tikhonov

Loading

alexey-tikhonov commented Apr 19, 2023

[sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) #6600

[sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) #6600

Comments

sumit-bose commented Mar 2, 2023 • edited Loading

sumit-bose commented Mar 2, 2023 • edited by alexey-tikhonov Loading

alexey-tikhonov commented Apr 19, 2023

sumit-bose commented Mar 2, 2023 •

edited

Loading

sumit-bose commented Mar 2, 2023 •

edited by alexey-tikhonov

Loading