Problem with keytab renewal, breaking authentication when sssd is joined to an AD domain

Thank you for taking the time to report this bug and helping to make Ubuntu better. I don't see this in Debian sssd packaging either. This should be sent up to Debian for consideration to add a Depends or Recommends on adcli.

I'm the maintainer on both Debian and Ubuntu, and am not convinced it should depend on adcli. The related bugs should get fixed, though.

The bugs were fixed some time ago, you can just cherry-pick the patches from the stable sssd-1-13 branch.

Hi Timo,

I can tell for sure that this bug happen, we had 40+ workstations running Ubuntu and a workaround of restarting the SSSD daemon every 5 minutes(cron) just to keep it working. When I saw the article on the Fedora team and installed the adcli it just worked.

 Initially I opened the bug on the documentation side, because I understood it will be easier to fix the documents then the code/package. Please, can you return the bug to the documentation team so at least people won't get stucked?

Regards,

Joel Zamboni

@Joel: We will not change the Ubuntu serverguide with respect to this problem. The problem itself should be fixed.

Do not set this back (it was originally the duplicate, actually) to the serverguide project.

This bug was fixed in the package sssd - 1.15.0-3ubuntu1

---------------
sssd (1.15.0-3ubuntu1) zesty; urgency=medium

  * Build without the secrets service as libhttp-parser2.1 is in universe. An
    MIR is pending in LP 1638957; when this is complete, we can revert this.
    - Configure with --without-secrets.
    - Drop build depends on libhttp-parser-dev and libjansson-dev. These are
      only needed for the "secrets service".
    - Remove secrets service -related files from d/sssd-common.install and in
      d/rules.

 -- Robie Basak <email address hidden> Tue, 07 Feb 2017 19:37:45 +0000

This isn't quite resolved for Ubuntu. I didn't realise when I first responded to this bug that adcli was in universe. So we have a component mismatch between sssd-ad and adcli at the moment.

So if I understand this report correctly, the problem was that there was a problem with keytab renewal, breaking authentication in some scenarios, and that installing adcli "fixed" it. However, this was a bug, and installing adcli shouldn't have been necessary. Installing adcli was really a workaround, and we believe this is fixed properly now.

So, Timo has demoted adcli to Suggests in Debian (https://anonscm.debian.org/cgit/pkg-sssd/sssd.git/commit/?id=d26fd6b8d6dfe9cb3d74c0caa8566bfc3fc7b977). I'll upload the same thing in Ubuntu shortly to fix the component mismatch.

So "add adcli as sssd dependency" was inadvertently presupposing the solution, we have fixed the root cause, and so we won't be adding adcli as an sssd dependency after all. But this bug is fixed, because sssd should work correctly without adcli installed again, so I'm marking this bug Fix Released.

If any of this is wrong, please do correct me. I'll stay subscribed to the bug.

So I think the original problem was fixed in sssd_1.15.0-3ubuntu1, and I've fixed the component mismatch by dropping adcli down to a Suggests in sssd_1.15.0-3ubuntu2.