View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017998 | CentOS-8 | sssd | public | 2021-01-07 16:05 | 2021-01-07 16:07 |
Reporter | jcbollinger | ||||
Priority | normal | Severity | major | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 8.3.2011 | ||||
Target Version | Fixed in Version | ||||
Summary | 0017998: Updating to sssd-2.4.0-3 breaks kerberos authentication for users with cached credentials | ||||
Description | sssd-2.4.0-3 was recently rolled out in the BaseOS repository for CentOS Stream, but that package suffers from the update-path issue documented here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-075cc71cb8. The effect is that updating from an earlier sssd to that one breaks kerberos logins for users who have existing cached credentials. | ||||
Steps To Reproduce | 1. Start with a CentOS 8.2 system, or a CentOS Stream system having sssd-2.2.3-20 2. Join the machine to a Kerberos realm, and configure the machine to authenticate users against that realm 3. Log in as a Kerberos-authenticated user, then log out. 4. Update to sssd-2.4.0-3 from the latest CentOS "baseos" repository. 5. Attempt to log in again as the same kerberos-authenticated user. | ||||
Additional Information | As I read the commentary, it appears that this flaw is unique to the sssd-2.4.0-3 package (and its subpackages). Downgrading sssd to any earlier version, including sssd-2.4.0-2, supposedly resolves the issue in Fedora. Downgrading to sssd-2.2.3-20 resolved it for me on CentOS Stream. According to its change log, Fedora's sssd-2.4.0-4 does not suffer from the same upgrade issue. | ||||
Tags | authentication, kerberos, update | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2021-01-07 16:05 | jcbollinger | New Issue | |
2021-01-07 16:05 | jcbollinger | Tag Attached: authentication | |
2021-01-07 16:07 | jcbollinger | Tag Attached: update | |
2021-01-07 16:07 | jcbollinger | Tag Attached: kerberos |