View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0017998||CentOS-8||sssd||public||2021-01-07 16:05||2021-01-07 16:07|
|Target Version||Fixed in Version|
|Summary||0017998: Updating to sssd-2.4.0-3 breaks kerberos authentication for users with cached credentials|
|Description||sssd-2.4.0-3 was recently rolled out in the BaseOS repository for CentOS Stream, but that package suffers from the update-path issue documented here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-075cc71cb8. The effect is that updating from an earlier sssd to that one breaks kerberos logins for users who have existing cached credentials.|
|Steps To Reproduce||1. Start with a CentOS 8.2 system, or a CentOS Stream system having sssd-2.2.3-20|
2. Join the machine to a Kerberos realm, and configure the machine to authenticate users against that realm
3. Log in as a Kerberos-authenticated user, then log out.
4. Update to sssd-2.4.0-3 from the latest CentOS "baseos" repository.
5. Attempt to log in again as the same kerberos-authenticated user.
|Additional Information||As I read the commentary, it appears that this flaw is unique to the sssd-2.4.0-3 package (and its subpackages). Downgrading sssd to any earlier version, including sssd-2.4.0-2, supposedly resolves the issue in Fedora. Downgrading to sssd-2.2.3-20 resolved it for me on CentOS Stream. According to its change log, Fedora's sssd-2.4.0-4 does not suffer from the same upgrade issue.|
|Tags||authentication, kerberos, update|