View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0017998CentOS-8sssdpublic2021-01-07 16:052021-01-07 16:07
Reporterjcbollinger 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.3.2011 
Target VersionFixed in Version 
Summary0017998: Updating to sssd-2.4.0-3 breaks kerberos authentication for users with cached credentials
Descriptionsssd-2.4.0-3 was recently rolled out in the BaseOS repository for CentOS Stream, but that package suffers from the update-path issue documented here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-075cc71cb8. The effect is that updating from an earlier sssd to that one breaks kerberos logins for users who have existing cached credentials.
Steps To Reproduce1. Start with a CentOS 8.2 system, or a CentOS Stream system having sssd-2.2.3-20
2. Join the machine to a Kerberos realm, and configure the machine to authenticate users against that realm
3. Log in as a Kerberos-authenticated user, then log out.
4. Update to sssd-2.4.0-3 from the latest CentOS "baseos" repository.
5. Attempt to log in again as the same kerberos-authenticated user.
Additional InformationAs I read the commentary, it appears that this flaw is unique to the sssd-2.4.0-3 package (and its subpackages). Downgrading sssd to any earlier version, including sssd-2.4.0-2, supposedly resolves the issue in Fedora. Downgrading to sssd-2.2.3-20 resolved it for me on CentOS Stream. According to its change log, Fedora's sssd-2.4.0-4 does not suffer from the same upgrade issue.
Tagsauthentication, kerberos, update

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-01-07 16:05 jcbollinger New Issue
2021-01-07 16:05 jcbollinger Tag Attached: authentication
2021-01-07 16:07 jcbollinger Tag Attached: update
2021-01-07 16:07 jcbollinger Tag Attached: kerberos