sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)

Bug #1664566 reported by Michael Smith on 2017-02-14
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Andreas Hasenack

Bug Description

[Impact]

Users cannot rely on the sssd krb5 locator plugin. Effect varies from slow logins (client trying to reach many different KDCs instead of directly the one specified by sssd configuration) to failed logins.

The bug is simple, and so is the fix. The plugin was installed in the wrong directory.

[Test Case]
This test case does not reproduce the exact scenario reported by the user, but is good enough to prove that the plugin is not loaded in the broken package, and is loaded just fine in the fixed package.

* install the packages on a xenial system. I suggest using LXD:
$ sudo apt install sssd krb5-kdc krb5-admin-server libpam-sss

For the kerberos prompts, answer:
- default kerberos realm: EXAMPLE.COM
- kerberos servers: just hit enter
- administrative server: just hit enter

* create the EXAMPLE.COM realm. Use any password during the creation, it doesn't matter:
$ sudo krb5_newrealm

* create the ubuntu principal in the EXAMPLE.COM realm with a password of "ubuntu". Note: please make sure your local ubuntu user uses a different password, or has none at all. When we login succesfully later, we want to be sure it was via kerberos, and not the local user.
$ sudo kadmin.local -q "addprinc -pw ubuntu <email address hidden>"

* configure the krb5 libraries to use a fake realm by default
- edit /etc/krb5.conf
- replace the default_realm value in [libdefaults] with LOCALHOST (just so it fails quickly):
  [libdefaults]
      default_realm = LOCALHOST
- do not restart the kerberos services

* Create the sssd configuration file /etc/sssd/sssd.conf with these contents:
"""
[sssd]
config_file_version = 2
services = pam
domains = kerberos.example.com

[pam]

[domain/kerberos.example.com]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = YOURADDRESS
krb5_realm = EXAMPLE.COM
"""
- replace YOURADDRESS with the IP of your test container or VM (do not use 127.0.0.1)
- IMPORTANT: sudo chmod 0600 /etc/sssd/sssd.conf

* Start sssd:
$ sudo systemctl start sssd.service

* in one terminal:
$ tail -f /var/log/syslog

* in another terminal, run:
$ sudo login (or just become root and run login)

* attempt to login as ubuntu with the kerberos password created earlier "ubuntu"):
$ sudo login
xenial-sssd-krb5-locator-1664566 login: ubuntu
Password:

Login incorrect

* observe that syslog complains about not finding the the KDC for the EXAMPLE.COM realm:
Jul 21 21:03:40 xenial-sssd-krb5-locator-1664566 [sssd[krb5_child[13628]]]: Cannot find KDC for realm "EXAMPLE.COM"

* /var/log/auth will report a general PAM error with no specifics

* install the fixed packages from proposed

* retry the login as ubuntu:
- login succeeds
- no errors in /var/log/syslog
- /var/log/auth will report a good login via pam_sss

* run klist to verify you have the kerberos tgt:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_XTpaOo
Default principal: <email address hidden>

Valid starting Expires Service principal
07/21/2017 21:05:26 07/22/2017 07:05:26 <email address hidden>
        renew until 07/22/2017 21:05:26

- run kdestroy followed by kinit to verify you will NOT get the tgt, because /etc/krb5.conf is still specifying the incorrect realm:
$ kdestroy
$ kinit
kinit: Cannot find KDC for realm "LOCALHOST" while getting initial credentials

This proves that the krb5 locator sssd plugin was loaded and worked, because it found the right realm and its KDC via the sssd configuration only.

[Regression Potential]
The fix is just placing the plugin in the correct directory. Users have already been using a workaround of symlinking the file, or even copying it manually over to the right place.

The directory where the plugin was located, and where it is located now, is private, and no other packages will be loading it other than SSSD. So changing its location should not affect other software installed on the system.

[Other Info]
None at this time.

apport information

description: updated
tags: added: apport-collected uec-images xenial
description: updated
Timo Aaltonen (tjaalton) wrote :

You're right, running 'strings /usr/lib/../libkrb5.so.3|grep plugins' shows that it's ../krb5/plugins/libkrb5. For some reason I changed it to plugins/krb5 some years ago, without a bug reference.. oh well, changed it back now, fixed in git.

Changed in sssd (Ubuntu):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.15.2-1ubuntu1

---------------
sssd (1.15.2-1ubuntu1) zesty; urgency=medium

  * Merge from Debian.
    - new bugfix release

sssd (1.15.2-1) unstable; urgency=medium

  * New upstream release.
  * control: Demote adcli to sssd-ad suggests.
  * rules, common.install: Fix sssd_krb5_locator_plugin install path.
    (LP: #1664566)
  * control, copyright, watch: Update upstream URLs.
  * common.install: Add libsss_files and socket activation helper.

 -- Timo Aaltonen <email address hidden> Thu, 06 Apr 2017 12:45:49 +0300

Changed in sssd (Ubuntu):
status: Fix Committed → Fix Released

Please can this fix be backported to xenial, otherwise AD integration can be quite
flakey for the current LTS release and the problem/fix is not immediately obvious.

tags: added: server-next
Andreas Hasenack (ahasenack) wrote :

I'll work on this next.

Changed in sssd (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in sssd (Ubuntu Xenial):
status: Confirmed → In Progress
description: updated
description: updated

Reviewed the changes and sponsored the Upload, SRU Template ready and in unapproved now.
Thanks for your work Andreas!
Ready for the SRU Team to evaluate.

Andreas Hasenack (ahasenack) wrote :

I filed https://bugs.launchpad.net/debian/+source/krb5/+bug/1710634 to fix the libkrb5 plugins directory location and creation. There is no such plugin shipped with krb5 itself, that's why this was never noticed before I believe.

Hello Michael, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Andreas Hasenack (ahasenack) wrote :

Xenial verification

Confirmation of the bug with the current package:
- login failed:
Aug 21 12:14:06 xenial-sssd-sru-1664566 [sssd[krb5_child[4787]]]: Cannot find KDC for realm "EXAMPLE.COM"
Aug 21 12:14:06 xenial-sssd-sru-1664566 [sssd[krb5_child[4787]]]: Cannot find KDC for realm "EXAMPLE.COM"

- terminal:
ubuntu@xenial-sssd-sru-1664566:~$ sudo login
xenial-sssd-sru-1664566 login: ubuntu
Password:

Login incorrect
xenial-sssd-sru-1664566 login:

With packages from proposed the test case passes:
$ apt-cache policy sssd
sssd:
  Installed: 1.13.4-1ubuntu1.7
  Candidate: 1.13.4-1ubuntu1.7
  Version table:
 *** 1.13.4-1ubuntu1.7 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.13.4-1ubuntu1.6 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
     1.13.4-1ubuntu1 500
        500 http://br.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

Retrying login:
ubuntu@xenial-sssd-sru-1664566:~$ sudo login
xenial-sssd-sru-1664566 login: ubuntu
Password:
Last login: Mon Aug 21 12:13:39 UTC 2017 from 10.0.100.1 on pts/1
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-32-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

18 packages can be updated.
0 updates are security updates.

We have a kerberos ticket:
ubuntu@xenial-sssd-sru-1664566:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_ctLjPX
Default principal: <email address hidden>

Valid starting Expires Service principal
08/21/2017 12:15:22 08/21/2017 22:15:22 <email address hidden>
 renew until 08/22/2017 12:15:22

And a new plain kinit fails as expected:
ubuntu@xenial-sssd-sru-1664566:~$ kdestroy
ubuntu@xenial-sssd-sru-1664566:~$ kinit
kinit: Cannot find KDC for realm "LOCALHOST" while getting initial credentials
ubuntu@xenial-sssd-sru-1664566:~$

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.7

---------------
sssd (1.13.4-1ubuntu1.7) xenial; urgency=medium

  * d/rules, d/sssd-common.install: Fix sssd_krb5_locator_plugin install path.
    (LP: #1664566)

 -- Andreas Hasenack <email address hidden> Fri, 21 Jul 2017 14:17:56 -0300

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers