Bug#1012502: marked as done (sssd: authentication fails with latest sssd)

Thu, 09 Jun 2022 00:39:17 -0700 

Your message dated Thu, 09 Jun 2022 07:36:00 +0000
with message-id <e1nzci0-00090f...@fasolo.debian.org>
and subject line Bug#1012502: fixed in sssd 2.7.1-2
has caused the Debian Bug report #1012502,
regarding sssd: authentication fails with latest sssd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1012502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012502
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: sssd
Version: 2.7.1-1
Severity: critical
Justification: breaks the whole system

Installing sssd 2.7.1-1 causes IPA/krb5 authentication to fail with messages
such as the following in /var/log/sssd/sssd_DOMAIN.log 

(2022-06-07 18:31:36): [be[DOMAIN]] [krb5_auth_done] (0x3f7c0): [RID#10] The 
krb5_child process returned an error. Please inspect the krb5_child.log file or 
the journal for more information
(2022-06-07 18:32:59): [be[DOMAIN]] [krb5_auth_send] (0x0020): [RID#14] Illegal 
empty authtok for user [USER@DOMAIN]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
[...]
   *  (2022-06-07 18:32:59): [be[DOMAIN]] [krb5_auth_queue_send] (0x1000): 
[RID#14] Wait queue of user [USER@DOMAIN] is empty, running request 
[0x560b4c6ac820] immediately.
   *  (2022-06-07 18:32:59): [be[DOMAIN]] [krb5_auth_send] (0x0020): [RID#14] 
Illegal empty authtok for user [USER@DOMAIN]
********************** BACKTRACE DUMP ENDS HERE 
*********************************


while in /var/log/sssd/krb5_child.log:

(2022-06-07 18:31:36): [krb5_child[2481391]] [sss_extract_pac] (0x0040): 
[RID#10] No PAC authdata available.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
[...]
   *  (2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x2000): 
[RID#10] Found keytab entry with the realm of the credential.
   *  (2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x0400): 
[RID#10] TGT verified using key for [PRINCIPAL@DOMAIN].
   *  (2022-06-07 18:31:36): [krb5_child[2481391]] [sss_extract_pac] (0x0040): 
[RID#10] No PAC authdata available.
********************** BACKTRACE DUMP ENDS HERE 
*********************************

(2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x0020): [RID#10] 
PAC check failed for principal [USER@DOMAIN].
(2022-06-07 18:31:36): [krb5_child[2481391]] [get_and_save_tgt] (0x0020): 
[RID#10] 2045: [1432158308][Unknown code UUz 100]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
   *  (2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x0020): 
[RID#10] PAC check failed for principal [USER@DOMAIN].
   *  (2022-06-07 18:31:36): [krb5_child[2481391]] [get_and_save_tgt] (0x0020): 
[RID#10] 2045: [1432158308][Unknown code UUz 100]
********************** BACKTRACE DUMP ENDS HERE 
*********************************

(2022-06-07 18:31:36): [krb5_child[2481391]] [map_krb5_error] (0x0020): 
[RID#10] [1432158308][PAC check failed].
(2022-06-08  8:06:08): [krb5_child[2498572]] [sss_extract_pac] (0x0040): 
[RID#93] No PAC authdata available.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
[...]


Reverting to sssd 2.6.3-3 immediately reestablishes authentication.

--- End Message ---
--- Begin Message --- 
Source: sssd
Source-Version: 2.7.1-2
Done: Timo Aaltonen <tjaal...@debian.org>

We believe that the bug you reported is fixed in the latest version of
sssd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaal...@debian.org> (supplier of updated sssd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Jun 2022 10:19:37 +0300
Source: sssd
Built-For-Profiles: noudeb
Architecture: source
Version: 2.7.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian SSSD Team <pkg-sssd-de...@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaal...@debian.org>
Closes: 1012502
Changes:
 sssd (2.7.1-2) unstable; urgency=medium
 .
   * pac-relax-default-for-pac_check-option.diff: Drop pac_present from
     default PAC check. (Closes: #1012502)
Checksums-Sha1:
 aaa801be26f9b0b1ea25538bada1eb5bc1a44f52 5070 sssd_2.7.1-2.dsc
 222c4f5114b98404bc779bd78a98395e30be4e36 40024 sssd_2.7.1-2.debian.tar.xz
 3a7f7380078e4e13d36a6199aae6bb02d789a2a9 9618 sssd_2.7.1-2_source.buildinfo
Checksums-Sha256:
 4ac7b2fecfdb6fae14a69fb119c9b75fd2ea54926496518340f20f277f11987a 5070 
sssd_2.7.1-2.dsc
 60b1b297ba3642e467459a6ae7f722228c854105b3368d24db50115119c25160 40024 
sssd_2.7.1-2.debian.tar.xz
 4bbb42118c1fbf97f73820063cb59be5ef61a6b7f20b5cb1de3f8aa20f781b4e 9618 
sssd_2.7.1-2_source.buildinfo
Files:
 4ef79c89402c4fd74b14de0d5aae4c86 5070 utils optional sssd_2.7.1-2.dsc
 e44374fb1f0ad058485bfde3d479eca8 40024 utils optional 
sssd_2.7.1-2.debian.tar.xz
 dd27afbd42044dd625d83fb3f844b4ad 9618 utils optional 
sssd_2.7.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmKhnxIACgkQy3AxZaiJ
hNxwcw/+JhDoGdk9EVAoDpm+bOiN4zMniG/kwoXOMN6+rd/ZjWY911xn83LAWfB1
PuZ1pGdnr6jM460aj98rgBQRcINKYuedlCwceaz4BdVa3U2DMvJDc/iFBS0zKMFg
dTjsaKACenu+0ucEMUF3z0f7Da24368P/5ULUpdjLPGWu1YNu/8VidI+P1oTTdP1
DE5o4BA0NgAW7JUNgyPfoWJg0e8o+4cEyc1WdM2nIA1/y+4voszVa9oUkF8u7Y+I
PMZmmY6RD9YwCkqrilIm3OwaQzqGgung8pISllOnbsnsUJfGuqgxMzuiN8FJ0U0m
EBA0lvVKTVF0pP+0kBrNGCRpRW7SwpYPmmxQXDEM+Y3GBpc69XdhGYrTQGTLRxde
XJueemy9Q8X85vNXebFwbcPNGUSOkPiltAdAaBKrcevq0rLhYqcBsYpbfnUbZaYr
utWPHUcZi8sUCex80DpmRRnxY/O6hiU/71KyuOZwIQqNE4hBmmKZ2KBhnes0x9It
osG8tWaTt5bQ37XGIQY4x6SyM7RnFnqmI7dNxAb0rlnksEkczTlXRuVycpaDU4VI
w0T67Z6INRx2K/dEjL5KnFYN26t277USTc+59wN4UxumVVufcv4QZ//sRvv7/+kJ
blvLg279HhYQ2G2g9VScum/Zt9lbHAZ3bNJS9WXraEHgv8Zf7d0=
=XACq
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to