Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trusted root domain suffix not work in sub domain users as upn(FREE IPA) #7775

Open
chagainota opened this issue Dec 18, 2024 · 10 comments
Open

trusted root domain suffix not work in sub domain users as upn(FREE IPA) #7775

chagainota opened this issue Dec 18, 2024 · 10 comments

Comments

@chagainota
Copy link

chagainota commented Dec 18, 2024
edited by sumit-bose
Loading

We are using FREEIPA installation with AD trusted domain.
The issue is that users from subdomains with upn as root domain suffix cannot login.
[note: samaccountname and upn are not the same for this user]

so for example:
root ad domain its example.com and subdomains are a.example.com and b.example.com etc.
user joe from subdomain a.example.com if his upn its root domain suffix '[email protected]' cannot login if it configured with subdomain suffix it works.

for us the problem was solved by adding in file responder\pam\pamsrv_cmd.c line is 2761

was:

  if (!preq->pd->domain) {
        preq->pd->domain = preq->domain->name;
    }

now:

  if (!preq->pd->domain) {
        preq->pd->domain = preq->domain->name;
    }
+ if (strcmp(preq->pd->domain,preq->domain->name)) {
+        preq->pd->domain = preq->domain->name;
+     }
@sumit-bose
Copy link
Contributor

Hi,

can you try if adding

krb5_use_enterprise_principal = True

in the [domain/...] section of sssd.conf can make authentication work without your patch?

bye,
Sumit

@chagainota
Copy link
Author

chagainota commented Dec 19, 2024 via email

@sumit-bose
Copy link
Contributor

Hi,

would it be possible to get debug logs with debug_level = 9 in the [domain/...] section of sssd.conf covering an authentication attempt.

To my knowledge there should be no difference on the Keberos level between a custom domain suffix set in AD's "Alternative Domain Suffixes" and existing domain names, e.g. the name of the forest root, as long as the UPN is unique in the forest, e.g. you cannot do this with the Administator account which is present in all domains in the forest.

bye,
Sumit

@dmitriiturevskii
Copy link

Let me share some analysis about this issue.
We have user in subdomain.example.com with UPN [email protected] and sAMAccountName [email protected]. IPA trust is established on top level example.com domain.
When user tries to authorize, SSSD's PAM module correctly resolves user (via IPA calls) and saves this user in LDB for domain subdomain.example.com.
When actual authorization attempt (with [email protected]) happens, PAM_AUTHORIZE request have domain field set as it was in initial PAM_AUTHORIZE request, i.e. example.com. So SSSD tries to extract user data from LDB for example.com and fails, leading to "System error" failure.
I think that our patch is not the best place to do, but we don't know overall SSSD's architecture. Better place could be:

  • in second PAM_AUTHORIZE request replace domain with domain derived from userid
  • on data extraction failure don't fail immediately, but retry data extraction from domain derived from userid.

@sumit-bose
Copy link
Contributor

Hi,

it is expected that SSSD will first try example.com if the input ends with @example.com. But if no user was found during this attempt SSSD will start to check all domains. It would be very helpful to have SSSD debug logs to understand at which point exactly this request fails in your environment. Please note, having a UPN which differ from the canonical principal based on sAMAccountName is quite common and works fine in general.

bye,
Sumit

@dmitriiturevskii
Copy link

As I stated before, subdomain request does not fail. It succeeds finding [email protected]. And it writes results (with groups and overrides) into LDB for subdomain.example.com.
Point of failure is later - when second attempt to authorize is made, this time with correct userid. At that time SSSD makes LDB lookup for [email protected], but it looks in LDB for example.com, not for subdomain.example.com. And this lookup fails, which is unexpected and leads to authorization failure.

@sumit-bose
Copy link
Contributor

Hi,

do I understand correctly that the authentication was successful and the issue happened during access control (pam_acct_mgmt(), label SSS_PAM_ACCT_MGMT in the SSSD debug logs)?

When you say "it looks in LDB for example.com", do you mean that it looks into a ldb file /var/lib/sss/db/cache_example.com.ldb or that the search base cn=users,cn=example.com,cn=sysdb is used? I'm asking because there should be only a single ldb data cache file /var/lib/sss/db/cache_your.ipa.domain.ldb which will keep the data for trusted domains as well.

Can you send your sssd.conf file, did you modify this in any way or did you add config overwrites into /etc/sssd/conf.d ?

bye,
Sumit

@dmitriiturevskii
Copy link

No. Let's look at logs.
sssd_pam.log

(2025-01-02 14:21:37): [pam] [get_client_cred] (0x4000): Client [0x5621fd70c500][19] creds: euid[0] egid[0] pid[362434] cmd_line['sshd: [email protected] [pam]'].
(2025-01-02 14:21:37): [pam] [pam_cmd_authenticate] (0x0100): [CID#1] entering pam_cmd_authenticate
(2025-01-02 14:21:37): [pam] [sss_domain_get_state] (0x1000): [CID#1] Domain ipa.domain is Active
(2025-01-02 14:21:37): [pam] [sss_domain_get_state] (0x1000): [CID#1] Domain example.com is Active
(2025-01-02 14:21:37): [pam] [sss_parse_name_for_domains] (0x0200): [CID#1] name '[email protected]' matched expression for domain 'example.com', user is user.name
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] command: SSS_PAM_AUTHENTICATE
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] domain: example.com
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] user: user.name
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] service: sshd
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] tty: ssh
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] ruser: not set
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] rhost: ip.ad.dr.ess
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] authtok type: 1 (Password)
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] newauthtok type: 0 (No authentication token available)
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] priv: 1
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] cli_pid: 362434
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] logon name: [email protected]
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] flags: 1

...snip...

(2025-01-02 14:21:37): [pam] [cache_req_set_plugin] (0x2000): [CID#1] CR #0: Setting "Initgroups by UPN" plugin
(2025-01-02 14:21:37): [pam] [cache_req_set_name] (0x0400): [CID#1] CR #0: Setting name [[email protected]]
(2025-01-02 14:21:37): [pam] [cache_req_assume_upn] (0x0400): [CID#1] CR #0: Assuming UPN [[email protected]]
(2025-01-02 14:21:37): [pam] [cache_req_select_domains] (0x0400): [CID#1] CR #0: Performing a multi-domain search
(2025-01-02 14:21:37): [pam] [cache_req_search_domains] (0x0400): [CID#1] CR #0: Search will check the cache and bypass the data provider
(2025-01-02 14:21:37): [pam] [cache_req_validate_domain_type] (0x2000): [CID#1] Request type POSIX-only for domain subdomain.example.com type POSIX is valid
(2025-01-02 14:21:37): [pam] [cache_req_set_domain] (0x0400): [CID#1] CR #0: Using domain [subdomain.example.com]
(2025-01-02 14:21:37): [pam] [cache_req_prepare_domain_data] (0x0400): [CID#1] CR #0: Preparing input data for domain [subdomain.example.com] rules
(2025-01-02 14:21:37): [pam] [cache_req_search_send] (0x0400): [CID#1] CR #0: Looking up [email protected]
(2025-01-02 14:21:37): [pam] [cache_req_search_ncache] (0x0400): [CID#1] CR #0: Checking negative cache for [[email protected]]
(2025-01-02 14:21:37): [pam] [sss_ncache_check_str] (0x2000): [CID#1] Checking negative cache for [NCE/USER/subdomain.example.com/@[email protected]]
(2025-01-02 14:21:37): [pam] [cache_req_search_ncache] (0x0400): [CID#1] CR #0: [[email protected]] is not present in negative cache
(2025-01-02 14:21:37): [pam] [cache_req_search_cache] (0x0400): [CID#1] CR #0: Looking up [[email protected]] in cache
(2025-01-02 14:21:37): [pam] [cache_req_search_send] (0x0400): [CID#1] CR #0: Returning [[email protected]] from cache
(2025-01-02 14:21:37): [pam] [cache_req_search_ncache_filter] (0x0400): [CID#1] CR #0: This request type does not support filtering result by negative cache
(2025-01-02 14:21:37): [pam] [cache_req_create_and_add_result] (0x0400): [CID#1] CR #0: Found 3 entries in domain subdomain.example.com
(2025-01-02 14:21:37): [pam] [cache_req_done] (0x0400): [CID#1] CR #0: Finished: Success

as you see lookup by UPN succeeds, now second authorization attempt with user's primary name:

(2025-01-02 14:21:37): [pam] [pd_set_primary_name] (0x0400): [CID#1] User's primary name is [email protected]
(2025-01-02 14:21:37): [pam] [pam_initgr_check_timeout] (0x4000): [CID#1] User [[email protected]] not found in PAM cache.
(2025-01-02 14:21:37): [pam] [pam_initgr_cache_set] (0x2000): [CID#1] [[email protected]] added to PAM initgroup cache
(2025-01-02 14:21:37): [pam] [pam_dp_send_req] (0x0100): [CID#1] Sending request with the following data:
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] command: SSS_PAM_AUTHENTICATE
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] domain: example.com
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] user: [email protected]
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] service: sshd
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] tty: ssh
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] ruser: not set
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] rhost: 172.25.12.13
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] authtok type: 1 (Password)
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] newauthtok type: 0 (No authentication token available)
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] priv: 1
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] cli_pid: 362434
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] logon name: [email protected]
(2025-01-02 14:21:37): [pam] [pam_print_data] (0x0100): [CID#1] flags: 1
(2025-01-02 14:21:37): [pam] [pam_dom_forwarder] (0x0100): [CID#1] pam_dp_send_req returned 0
(2025-01-02 14:21:37): [pam] [sbus_dispatch] (0x4000): Dispatching.
(2025-01-02 14:21:37): [pam] [pam_dp_send_req_done] (0x0200): [CID#1] received: [4 (System error)][example.com]
(2025-01-02 14:21:37): [pam] [pam_reply] (0x4000): [CID#1] pam_reply initially called with result [4]: System error. this result might be changed during processing
(2025-01-02 14:21:37): [pam] [filter_responses] (0x0100): [CID#1] PAM response filter: [ENV:KRB5CCNAME:sudo].
(2025-01-02 14:21:37): [pam] [filter_responses] (0x0100): [CID#1] PAM response filter: [ENV:KRB5CCNAME:sudo-i].
(2025-01-02 14:21:37): [pam] [pam_reply] (0x0200): [CID#1] blen: 30
(2025-01-02 14:21:37): [pam] [pam_reply] (0x0200): [CID#1] Returning [4]: System error to the client
(2025-01-02 14:21:39): [pam] [client_recv] (0x0200): [CID#1] Client disconnected!
(2025-01-02 14:21:39): [pam] [client_close_fn] (0x2000): Terminated client [0x5621fd70c500][19]

and here you see System error and failure.
Now let's look in sssd_ipa.domain.log (in next comment)

@dmitriiturevskii
Copy link 

(2025-01-02 14:21:37): [be[ipa.domain]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2025-01-02 14:21:37): [be[ipa.domain]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam]
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_get_account_info_send] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][[email protected]]
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): Domain subdomain2.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): Domain subdomain.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_attach_req] (0x0400): [RID#9] DP Request [Initgroups #9]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0x0001].
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_attach_req] (0x0400): [RID#9] Number of active DP request: 1
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain2.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain2.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain2.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [check_if_pac_is_available] (0x4000): [RID#9] No PAC available.
(2025-01-02 14:21:37): [be[ipa.domain]] [sdap_id_op_connect_step] (0x4000): [RID#9] reusing cached connection
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_get_acct_info_send] (0x0400): [RID#9] Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [[email protected]] to IPA server
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_exop_send] (0x0400): [RID#9] Executing extended operation
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_exop_send] (0x2000): [RID#9] ldap_extended_operation sent, msgid = 16
(2025-01-02 14:21:37): [be[ipa.domain]] [sdap_op_add] (0x2000): [RID#9] New operation 16 timeout 6
(2025-01-02 14:21:37): [be[ipa.domain]] [sdap_process_result] (0x2000): Trace: sh[0x562aaef0b9c0], connected[1], ops[0x562aaef5bd70], ldap[0x562aaef4caa0]
(2025-01-02 14:21:37): [be[ipa.domain]] [sdap_process_message] (0x4000): [RID#9] Message type: [LDAP_RES_EXTENDED]
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_exop_done] (0x0400): [RID#9] ldap_extended_operation result: Success(0), (null).
(2025-01-02 14:21:37): [be[ipa.domain]] [sdap_op_destructor] (0x2000): [RID#9] Operation 16 finished
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain2.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [add_v1_user_data] (0x4000): [RID#9] BER tag is [48]
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Found new sequence.
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [objectSIDString].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [originalADname].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [originalADuidNumber].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [originalADgidNumber].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [originalADhomeDirectory].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [originalADgecos].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [userPrincipalName].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [defaultOverrideName].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [adAccountExpires].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [adUserAccountControl].
(2025-01-02 14:21:37): [be[ipa.domain]] [get_extra_attrs] (0x4000): [RID#9] Extra attribute [originalDN].
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_get_user_done] (0x0400): [RID#9] Received [2] groups in group list from IPA Server
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_get_user_done] (0x0400): [RID#9] [[email protected]].
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_get_user_done] (0x0400): [RID#9] [domain [email protected]].
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain2.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#9] Domain subdomain.example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_save_objects] (0x4000): [RID#9] Found original AD name [[email protected]].
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_s2n_save_objects] (0x4000): [RID#9] Found original AD upn [[email protected]].
(2025-01-02 14:21:37): [be[ipa.domain]] [sysdb_ldb_msg_difference] (0x2000): [RID#9] Replaced/extended attr [gidNumber] of entry [[email protected],cn=users,cn=subdomain.example.com,cn=sysdb]
(2025-01-02 14:21:37): [be[ipa.domain]] [sysdb_set_entry_attr] (0x0200): [RID#9] Entry [[email protected],cn=users,cn=subdomain.example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(2025-01-02 14:21:37): [be[ipa.domain]] [sysdb_remove_attrs] (0x2000): [RID#9] Removing attribute [originalMemberOf] from [[email protected]]
(2025-01-02 14:21:37): [be[ipa.domain]] [sysdb_remove_attrs] (0x2000): [RID#9] Removing attribute [sshPublicKey] from [[email protected]]
(2025-01-02 14:21:37): [be[ipa.domain]] [sysdb_remove_attrs] (0x2000): [RID#9] Removing attribute [userCertificate] from [[email protected]]
(2025-01-02 14:21:37): [be[ipa.domain]] [sysdb_store_user] (0x0400): [RID#9] User "[email protected]" has been stored

as you see user was stored in LDB with key name=[email protected],cn=users,cn=subdomain.example.com,cn=sysdb
and now when PAM_AUTHENTICATE is processed:

(2025-01-02 14:21:37): [be[ipa.domain]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.pamHandler on /sssd
(2025-01-02 14:21:37): [be[ipa.domain]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam]
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_pam_handler_send] (0x0100): Got request with the following data
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): domain: example.com
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): user: [email protected]
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): service: sshd
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): tty: ssh
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): ruser:
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): rhost: ip.add.re.ss
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): authtok type: 1 (Password)
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): priv: 1
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): cli_pid: 362434
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): logon name: not set
(2025-01-02 14:21:37): [be[ipa.domain]] [pam_print_data] (0x0100): flags: 0
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_attach_req] (0x0400): [RID#10] DP Request [PAM Authenticate #10]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000].
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_attach_req] (0x0400): [RID#10] Number of active DP request: 1
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#10] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#10] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#10] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#10] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [krb5_auth_queue_send] (0x1000): [RID#10] Wait queue of user [[email protected]] is empty, running request [0x562aaef31430] immediately.
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#10] Domain ipa.domain is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [sss_domain_get_state] (0x1000): [RID#10] Domain example.com is Active
(2025-01-02 14:21:37): [be[ipa.domain]] [krb5_setup] (0x4000): [RID#10] No mapping for: [email protected]
(2025-01-02 14:21:37): [be[ipa.domain]] [krb5_auth_send] (0x0200): [RID#10] No attributes for user [[email protected]] found.
(2025-01-02 14:21:37): [be[ipa.domain]] [check_wait_queue] (0x1000): [RID#10] Wait queue for user [[email protected]] is empty.
(2025-01-02 14:21:37): [be[ipa.domain]] [krb5_auth_queue_done] (0x0040): [RID#10] krb5_auth_recv failed with: 2
(2025-01-02 14:21:37): [be[ipa.domain]] [ipa_pam_auth_handler_krb5_done] (0x0040): [RID#10] KRB5 auth failed [2]: No such file or directory
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_req_done] (0x0400): [RID#10] DP Request [PAM Authenticate #10]: Request handler finished [0]: Success
(2025-01-02 14:21:37): [be[ipa.domain]] [_dp_req_recv] (0x0400): [RID#10] DP Request [PAM Authenticate #10]: Receiving request data.
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_req_destructor] (0x0400): [RID#10] DP Request [PAM Authenticate #10]: Request removed.
(2025-01-02 14:21:37): [be[ipa.domain]] [dp_req_destructor] (0x0400): [RID#10] Number of active DP request: 0
(2025-01-02 14:21:37): [be[ipa.domain]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success
(2025-01-02 14:21:37): [be[ipa.domain]] [sbus_dispatch] (0x4000): Dispatching.

At this moment I added some more debug print in function krb5_auth_send and found, that sysdb_get_user_attr_with_views gets called with domain example.com and user [email protected] and it returns 0 rows. If it was called with domain subdomain.example.com instead, it would return exactly 1 row as expected and authorization attempt will continue.

@sumit-bose
Copy link
Contributor

Hi,

thank you for the logs. Your patch is basically correct but in the wrong function. The domain should be set based on the results from the cache lookup.

Would it be possible to test the following patch:

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 941446d94..cdab40897 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -255,7 +255,9 @@ static int extract_uint32_t(uint32_t *var, size_t size, uint8_t *body,
     return EOK;
 }
 
-static int pd_set_primary_name(const struct ldb_message *msg,struct pam_data *pd)
+static int pd_set_primary_name_and_domain(const struct ldb_message *msg,
+                                          const char *domain_name,
+                                          struct pam_data *pd)
 {
     const char *name;
 
@@ -272,6 +274,16 @@ static int pd_set_primary_name(const struct ldb_message *msg,struct pam_data *pd
         if (!pd->user) return ENOMEM;
     }
 
+    /* Check if the user is actually coming from a different domain than
+     * provided with the input. This might happen if the input is a UPN or
+     * an email address. */
+    if (pd->domain == NULL
+            || strcasecmp(domain_name, pd->domain) != 0) {
+        talloc_free(pd->domain);
+        pd->domain = talloc_strdup(pd, domain_name);
+        if (!pd->domain) return ENOMEM;
+    }
+
     return EOK;
 }
 
@@ -2604,7 +2616,8 @@ static void pam_check_user_search_done(struct pam_auth_req *preq, int ret,
 
     if (ret == EOK) {
         preq->user_obj = result->msgs[0];
-        pd_set_primary_name(preq->user_obj, preq->pd);
+        pd_set_primary_name_and_domain(preq->user_obj, result->domain->name,
+                                       preq->pd);
         preq->domain = result->domain;
 
         ret = pam_initgr_cache_set(pctx->rctx->ev,

If it works and you don't mind fell free to open a pull request wiht this patch.

bye,
Sumit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sumit-bose @chagainota @dmitriiturevskii