Hello,
trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured and a *wrong* passwort results in a "A critical error occured" dialog box, see attached screenshot.
This looks very much like SSSD is returning the wrong exit code to PAM (i.e. PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty passwords)
Best regards, J Brauchle
On (06/11/14 08:35), Joschi Brauchle wrote:
Hello,
trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured and a *wrong* passwort results in a "A critical error occured" dialog box, see attached screenshot.
This looks very much like SSSD is returning the wrong exit code to PAM (i.e. PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty passwords)
PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO. By default is GPO in permissive mode, but if rules cannot be downloaded (or any other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was wrong)
The problem is fixed in 1.12.2, but I would need to see sssd log files to be sure you have the same issue.
LS
On 11/06/2014 09:02 AM, Lukas Slebodnik wrote:
On (06/11/14 08:35), Joschi Brauchle wrote:
Hello,
trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured and a *wrong* passwort results in a "A critical error occured" dialog box, see attached screenshot.
This looks very much like SSSD is returning the wrong exit code to PAM (i.e. PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty passwords)
PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO. By default is GPO in permissive mode, but if rules cannot be downloaded (or any other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was wrong)
The problem is fixed in 1.12.2, but I would need to see sssd log files to be sure you have the same issue.
LS
I updated the machine to 1.12.2 and tested with
1) ad_gpo_access_control = permissive (i.e. default) 2) ad_gpo_access_control = false
but the problem persists when entering a wrong password.
I will send log files with debug_level=9 off-list as I dont want them in the list archive...
J Brauchle
On Thu, Nov 06, 2014 at 05:08:35PM +0100, Joschi Brauchle wrote:
On 11/06/2014 09:02 AM, Lukas Slebodnik wrote:
On (06/11/14 08:35), Joschi Brauchle wrote:
Hello,
trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured and a *wrong* passwort results in a "A critical error occured" dialog box, see attached screenshot.
This looks very much like SSSD is returning the wrong exit code to PAM (i.e. PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty passwords)
PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO. By default is GPO in permissive mode, but if rules cannot be downloaded (or any other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was wrong)
The problem is fixed in 1.12.2, but I would need to see sssd log files to be sure you have the same issue.
LS
I updated the machine to 1.12.2 and tested with
- ad_gpo_access_control = permissive (i.e. default)
- ad_gpo_access_control = false
but the problem persists when entering a wrong password.
I will send log files with debug_level=9 off-list as I dont want them in the list archive...
J Brauchle
Thank you for the logs!
This thread sounds a bit similar and also you reminded me to take a look into it again as we're changing the krb5_child code anyway: https://patchwork.acksyn.org/patch/7382/
On 11/06/2014 07:13 PM, Jakub Hrozek wrote:
On Thu, Nov 06, 2014 at 05:08:35PM +0100, Joschi Brauchle wrote:
On 11/06/2014 09:02 AM, Lukas Slebodnik wrote:
On (06/11/14 08:35), Joschi Brauchle wrote:
Hello,
trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured and a *wrong* passwort results in a "A critical error occured" dialog box, see attached screenshot.
This looks very much like SSSD is returning the wrong exit code to PAM (i.e. PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty passwords)
PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO. By default is GPO in permissive mode, but if rules cannot be downloaded (or any other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was wrong)
The problem is fixed in 1.12.2, but I would need to see sssd log files to be sure you have the same issue.
LS
I updated the machine to 1.12.2 and tested with
- ad_gpo_access_control = permissive (i.e. default)
- ad_gpo_access_control = false
but the problem persists when entering a wrong password.
I will send log files with debug_level=9 off-list as I dont want them in the list archive...
J Brauchle
Thank you for the logs!
This thread sounds a bit similar and also you reminded me to take a look into it again as we're changing the krb5_child code anyway: https://patchwork.acksyn.org/patch/7382/
Hello Jakub, yes that is exactly the same as my problem!
I'm not a PAM expert at all, but according to the PAM_*_ERR explanations I found --------------- #define PAM_AUTH_ERR 7 /* Authentication failure */ #define PAM_CRED_ERR 17 /* Failure setting user credentials */ --------------- it sounds like a wrong password should result in PAM_AUTH_ERR rather than PAM_CRED_ERR.
J Brauchle
On Fri, Nov 07, 2014 at 12:10:26PM +0100, Joschi Brauchle wrote:
On 11/06/2014 07:13 PM, Jakub Hrozek wrote:
On Thu, Nov 06, 2014 at 05:08:35PM +0100, Joschi Brauchle wrote:
On 11/06/2014 09:02 AM, Lukas Slebodnik wrote:
On (06/11/14 08:35), Joschi Brauchle wrote:
Hello,
trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured and a *wrong* passwort results in a "A critical error occured" dialog box, see attached screenshot.
This looks very much like SSSD is returning the wrong exit code to PAM (i.e. PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty passwords)
PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO. By default is GPO in permissive mode, but if rules cannot be downloaded (or any other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was wrong)
The problem is fixed in 1.12.2, but I would need to see sssd log files to be sure you have the same issue.
LS
I updated the machine to 1.12.2 and tested with
- ad_gpo_access_control = permissive (i.e. default)
- ad_gpo_access_control = false
but the problem persists when entering a wrong password.
I will send log files with debug_level=9 off-list as I dont want them in the list archive...
J Brauchle
Thank you for the logs!
This thread sounds a bit similar and also you reminded me to take a look into it again as we're changing the krb5_child code anyway: https://patchwork.acksyn.org/patch/7382/
Hello Jakub, yes that is exactly the same as my problem!
I'm not a PAM expert at all, but according to the PAM_*_ERR explanations I found
#define PAM_AUTH_ERR 7 /* Authentication failure */
#define PAM_CRED_ERR 17 /* Failure setting user credentials */
it sounds like a wrong password should result in PAM_AUTH_ERR rather than PAM_CRED_ERR.
J Brauchle
The problem is that different Kerberos servers send the same error codes to differentiate between different conditions. For instance, an error code that indicates a genuine failure with AD might indicate a password migration with IPA.
We need to add better logic around the error code in krb5_auth.c ...
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Joschi Brauchle -
Lukas Slebodnik