[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)

Brian Murray brian at ubuntu.com
Thu Aug 17 22:49:07 UTC 2017 

Hello Michael, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.7
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: sssd (Ubuntu Xenial)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1664566

Title:
  sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)

Status in sssd package in Ubuntu:
  Fix Released
Status in sssd source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  Users cannot rely on the sssd krb5 locator plugin. Effect varies from
  slow logins (client trying to reach many different KDCs instead of
  directly the one specified by sssd configuration) to failed logins.

  The bug is simple, and so is the fix. The plugin was installed in the
  wrong directory.

  [Test Case]
  This test case does not reproduce the exact scenario reported by the user, but is good enough to prove that the plugin is not loaded in the broken package, and is loaded just fine in the fixed package.

  * install the packages on a xenial system. I suggest using LXD:
  $ sudo apt install sssd krb5-kdc krb5-admin-server libpam-sss

  For the kerberos prompts, answer:
  - default kerberos realm: EXAMPLE.COM
  - kerberos servers: just hit enter
  - administrative server: just hit enter

  * create the EXAMPLE.COM realm. Use any password during the creation, it doesn't matter:
  $ sudo krb5_newrealm

  * create the ubuntu principal in the EXAMPLE.COM realm with a password of "ubuntu". Note: please make sure your local ubuntu user uses a different password, or has none at all. When we login succesfully later, we want to be sure it was via kerberos, and not the local user.
  $ sudo kadmin.local -q "addprinc -pw ubuntu ubuntu at EXAMPLE.COM"

  * configure the krb5 libraries to use a fake realm by default
  - edit /etc/krb5.conf
  - replace the default_realm value in [libdefaults] with LOCALHOST (just so it fails quickly):
    [libdefaults]
        default_realm = LOCALHOST
  - do not restart the kerberos services

  * Create the sssd configuration file /etc/sssd/sssd.conf with these contents:
  """
  [sssd]
  config_file_version = 2
  services = pam
  domains = kerberos.example.com

  [pam]

  [domain/kerberos.example.com]
  id_provider = proxy
  proxy_lib_name = files
  auth_provider = krb5
  krb5_server = YOURADDRESS
  krb5_realm = EXAMPLE.COM
  """
  - replace YOURADDRESS with the IP of your test container or VM (do not use 127.0.0.1)
  - IMPORTANT: sudo chmod 0600 /etc/sssd/sssd.conf

  * Start sssd:
  $ sudo systemctl start sssd.service

  * in one terminal:
  $ tail -f /var/log/syslog

  * in another terminal, run:
  $ sudo login (or just become root and run login)

  * attempt to login as ubuntu with the kerberos password created earlier "ubuntu"):
  $ sudo login
  xenial-sssd-krb5-locator-1664566 login: ubuntu
  Password:

  Login incorrect

  * observe that syslog complains about not finding the the KDC for the EXAMPLE.COM realm:
  Jul 21 21:03:40 xenial-sssd-krb5-locator-1664566 [sssd[krb5_child[13628]]]: Cannot find KDC for realm "EXAMPLE.COM"

  * /var/log/auth will report a general PAM error with no specifics

  * install the fixed packages from proposed

  * retry the login as ubuntu:
  - login succeeds
  - no errors in /var/log/syslog
  - /var/log/auth will report a good login via pam_sss

  * run klist to verify you have the kerberos tgt:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000_XTpaOo
  Default principal: ubuntu at EXAMPLE.COM

  Valid starting Expires Service principal
  07/21/2017 21:05:26 07/22/2017 07:05:26 krbtgt/EXAMPLE.COM at EXAMPLE.COM
          renew until 07/22/2017 21:05:26

  - run kdestroy followed by kinit to verify you will NOT get the tgt, because /etc/krb5.conf is still specifying the incorrect realm:
  $ kdestroy
  $ kinit
  kinit: Cannot find KDC for realm "LOCALHOST" while getting initial credentials

  This proves that the krb5 locator sssd plugin was loaded and worked,
  because it found the right realm and its KDC via the sssd
  configuration only.

  [Regression Potential]
  The fix is just placing the plugin in the correct directory. Users have already been using a workaround of symlinking the file, or even copying it manually over to the right place.

  The directory where the plugin was located, and where it is located
  now, is private, and no other packages will be loading it other than
  SSSD. So changing its location should not affect other software
  installed on the system.

  [Other Info]
  None at this time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions

More information about the Ubuntu-sponsors mailing list