[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
This bug was fixed in the package sssd - 1.13.4-1ubuntu1.7 --- sssd (1.13.4-1ubuntu1.7) xenial; urgency=medium * d/rules, d/sssd-common.install: Fix sssd_krb5_locator_plugin install path. (LP: #1664566) -- Andreas HasenackFri, 21 Jul 2017 14:17:56 -0300 ** Changed in: sssd (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
Xenial verification Confirmation of the bug with the current package: - login failed: Aug 21 12:14:06 xenial-sssd-sru-1664566 [sssd[krb5_child[4787]]]: Cannot find KDC for realm "EXAMPLE.COM" Aug 21 12:14:06 xenial-sssd-sru-1664566 [sssd[krb5_child[4787]]]: Cannot find KDC for realm "EXAMPLE.COM" - terminal: ubuntu@xenial-sssd-sru-1664566:~$ sudo login xenial-sssd-sru-1664566 login: ubuntu Password: Login incorrect xenial-sssd-sru-1664566 login: With packages from proposed the test case passes: $ apt-cache policy sssd sssd: Installed: 1.13.4-1ubuntu1.7 Candidate: 1.13.4-1ubuntu1.7 Version table: *** 1.13.4-1ubuntu1.7 500 500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1.13.4-1ubuntu1.6 500 500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 1.13.4-1ubuntu1 500 500 http://br.archive.ubuntu.com/ubuntu xenial/main amd64 Packages Retrying login: ubuntu@xenial-sssd-sru-1664566:~$ sudo login xenial-sssd-sru-1664566 login: ubuntu Password: Last login: Mon Aug 21 12:13:39 UTC 2017 from 10.0.100.1 on pts/1 Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-32-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support:https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 18 packages can be updated. 0 updates are security updates. We have a kerberos ticket: ubuntu@xenial-sssd-sru-1664566:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000_ctLjPX Default principal: ubu...@example.com Valid starting Expires Service principal 08/21/2017 12:15:22 08/21/2017 22:15:22 krbtgt/example@example.com renew until 08/22/2017 12:15:22 And a new plain kinit fails as expected: ubuntu@xenial-sssd-sru-1664566:~$ kdestroy ubuntu@xenial-sssd-sru-1664566:~$ kinit kinit: Cannot find KDC for realm "LOCALHOST" while getting initial credentials ubuntu@xenial-sssd-sru-1664566:~$ ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
Xenial verification Confirmation of the bug with the current package: - login failed: Aug 21 12:14:06 xenial-sssd-sru-1664566 [sssd[krb5_child[4787]]]: Cannot find KDC for realm "EXAMPLE.COM" Aug 21 12:14:06 xenial-sssd-sru-1664566 [sssd[krb5_child[4787]]]: Cannot find KDC for realm "EXAMPLE.COM" - terminal: ubuntu@xenial-sssd-sru-1664566:~$ sudo login xenial-sssd-sru-1664566 login: ubuntu Password: Login incorrect xenial-sssd-sru-1664566 login: With packages from proposed the test case passes: $ apt-cache policy sssd sssd: Installed: 1.13.4-1ubuntu1.7 Candidate: 1.13.4-1ubuntu1.7 Version table: *** 1.13.4-1ubuntu1.7 500 500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1.13.4-1ubuntu1.6 500 500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 1.13.4-1ubuntu1 500 500 http://br.archive.ubuntu.com/ubuntu xenial/main amd64 Packages Retrying login: ubuntu@xenial-sssd-sru-1664566:~$ sudo login xenial-sssd-sru-1664566 login: ubuntu Password: Last login: Mon Aug 21 12:13:39 UTC 2017 from 10.0.100.1 on pts/1 Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-32-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support:https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 18 packages can be updated. 0 updates are security updates. We have a kerberos ticket: ubuntu@xenial-sssd-sru-1664566:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000_ctLjPX Default principal: ubu...@example.com Valid starting Expires Service principal 08/21/2017 12:15:22 08/21/2017 22:15:22 krbtgt/example@example.com renew until 08/22/2017 12:15:22 And a new plain kinit fails as expected: ubuntu@xenial-sssd-sru-1664566:~$ kdestroy ubuntu@xenial-sssd-sru-1664566:~$ kinit kinit: Cannot find KDC for realm "LOCALHOST" while getting initial credentials ubuntu@xenial-sssd-sru-1664566:~$ ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
Hello Michael, or anyone else affected, Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.7 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: sssd (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
I filed https://bugs.launchpad.net/debian/+source/krb5/+bug/1710634 to fix the libkrb5 plugins directory location and creation. There is no such plugin shipped with krb5 itself, that's why this was never noticed before I believe. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
I filed https://bugs.launchpad.net/debian/+source/krb5/+bug/1710634 to fix the libkrb5 plugins directory location and creation. There is no such plugin shipped with krb5 itself, that's why this was never noticed before I believe. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
Reviewed the changes and sponsored the Upload, SRU Template ready and in unapproved now. Thanks for your work Andreas! Ready for the SRU Team to evaluate. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Description changed: - Hi, + [Impact] - I'm on Ubuntu 16.04 LTS, sssd-common 1.13.4-1ubuntu1.1, libkrb5-3 - 1.13.2+dfsg-5. + Users cannot rely on the sssd krb5 locator plugin. Effect varies from + slow logins (client trying to reach many different KDCs instead of + directly the one specified by sssd configuration) to failed logins. - I'm in an environment with several Active Directory sites, each with a - domain controller. When remote sites' DCs are unreachable because of a - VPN outage, password authentication is slow or fails. tcpdump shows the - system is trying to talk to the other sites' domain controllers, and - timing out. + The bug is simple, and so is the fix. The plugin was installed in the + wrong directory. - sssd-common installs the locator plugin at /usr/lib/x86_64-linux- - gnu/krb5/plugins/krb5/sssd_krb5_locator_plugin.so. - But I can see in strace that Kerberos apps are looking for plugins in - /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5 instead (libkrb5 vs - krb5). + [Test Case] + This test case does not reproduce the exact case reported by the user, but is good enough to prove that the plugin is not loaded in the broken package, and is loaded just fine in the fixed package. - open("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5", - O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or - directory) + * install the packages on a xenial system. I suggest using LXD: + $ sudo apt install sssd krb5-kdc krb5-admin-server libpam-sss - As a result, Kerberos doesn't respect SSSD's Active Directory site - selection. + For the kerberos prompts, answer: + - default kerberos realm: EXAMPLE.COM + - kerberos servers: just hit enter + - administrative server: just hit enter - As a workaround, if I copy /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 - to /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5, site selection works - as expected. + * create the EXAMPLE.COM realm. Use any password during the creation, it doesn't matter: + $ sudo krb5_newrealm - Mailing list ref: https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/UUMFE5T376D3NJLNHQSJZAJCPM35KRED/ - --- - ApportVersion: 2.20.1-0ubuntu2.4 - Architecture: amd64 - DistroRelease: Ubuntu 16.04 - JournalErrors: - Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. -Users in the 'systemd-journal' group can see all messages. Pass -q to -turn off this notice. - No journal files were opened due to insufficient permissions. - Package: sssd 1.13.4-1ubuntu1.1 - PackageArchitecture: amd64 - ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR= - LANG=en_US.UTF-8 - SHELL=/bin/bash - ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24 - Tags: xenial uec-images - Uname: Linux 4.4.0-47-generic x86_64 - UpgradeStatus: No upgrade log present (probably fresh install) - UserGroups: - - _MarkForUpload: True + * create the ubuntu principal in the EXAMPLE.COM realm with a password of "ubuntu". Note: please make sure your local ubuntu user uses a different password, or has none at all. When we login succesfully later, we want to be sure it was via kerberos, and not the local user. + $ sudo kadmin.local -q "addprinc -pw ubuntu ubu...@example.com" + + * configure the krb5 libraries to use a fake realm by default + - edit /etc/krb5.conf + - replace the default_realm value in [libdefaults] with LOCALHOST (just so it fails quickly): + [libdefaults] + default_realm = LOCALHOST + - do not restart the kerberos services + + * Create the sssd configuration file /etc/sssd/sssd.conf with these contents: + """ + [sssd] + config_file_version = 2 + services = pam + domains = kerberos.example.com + + [pam] + + [domain/kerberos.example.com] + id_provider = proxy + proxy_lib_name = files + auth_provider = krb5 + krb5_server = YOURADDRESS + krb5_realm = EXAMPLE.COM + """ + - replace YOURADDRESS with the IP of your test container or VM (do not use 127.0.0.1) + - IMPORTANT: sudo chmod 0600 /etc/sssd/sssd.conf + + * Start sssd: + $ sudo systemctl start sssd.service + + * in one terminal: + $ tail -f /var/log/syslog + + * in another terminal, run: + $ sudo login (or just become root and run login) + + * attempt to login as ubuntu with the kerberos password created earlier "ubuntu"): + $ sudo login + xenial-sssd-krb5-locator-1664566 login: ubuntu + Password: + + Login incorrect + + * observe that syslog complains about not finding the the KDC for the EXAMPLE.COM realm: + Jul 21 21:03:40 xenial-sssd-krb5-locator-1664566 [sssd[krb5_child[13628]]]: Cannot find KDC for realm "EXAMPLE.COM" + + * /var/log/auth will report a general PAM error with no specifics + + * install the fixed packages from proposed + + * retry the login as ubuntu: + - login succeeds + - no errors in /var/log/syslog + - /var/log/auth will
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Description changed: - Hi, + [Impact] - I'm on Ubuntu 16.04 LTS, sssd-common 1.13.4-1ubuntu1.1, libkrb5-3 - 1.13.2+dfsg-5. + Users cannot rely on the sssd krb5 locator plugin. Effect varies from + slow logins (client trying to reach many different KDCs instead of + directly the one specified by sssd configuration) to failed logins. - I'm in an environment with several Active Directory sites, each with a - domain controller. When remote sites' DCs are unreachable because of a - VPN outage, password authentication is slow or fails. tcpdump shows the - system is trying to talk to the other sites' domain controllers, and - timing out. + The bug is simple, and so is the fix. The plugin was installed in the + wrong directory. - sssd-common installs the locator plugin at /usr/lib/x86_64-linux- - gnu/krb5/plugins/krb5/sssd_krb5_locator_plugin.so. - But I can see in strace that Kerberos apps are looking for plugins in - /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5 instead (libkrb5 vs - krb5). + [Test Case] + This test case does not reproduce the exact case reported by the user, but is good enough to prove that the plugin is not loaded in the broken package, and is loaded just fine in the fixed package. - open("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5", - O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or - directory) + * install the packages on a xenial system. I suggest using LXD: + $ sudo apt install sssd krb5-kdc krb5-admin-server libpam-sss - As a result, Kerberos doesn't respect SSSD's Active Directory site - selection. + For the kerberos prompts, answer: + - default kerberos realm: EXAMPLE.COM + - kerberos servers: just hit enter + - administrative server: just hit enter - As a workaround, if I copy /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 - to /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5, site selection works - as expected. + * create the EXAMPLE.COM realm. Use any password during the creation, it doesn't matter: + $ sudo krb5_newrealm - Mailing list ref: https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/UUMFE5T376D3NJLNHQSJZAJCPM35KRED/ - --- - ApportVersion: 2.20.1-0ubuntu2.4 - Architecture: amd64 - DistroRelease: Ubuntu 16.04 - JournalErrors: - Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. -Users in the 'systemd-journal' group can see all messages. Pass -q to -turn off this notice. - No journal files were opened due to insufficient permissions. - Package: sssd 1.13.4-1ubuntu1.1 - PackageArchitecture: amd64 - ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR= - LANG=en_US.UTF-8 - SHELL=/bin/bash - ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24 - Tags: xenial uec-images - Uname: Linux 4.4.0-47-generic x86_64 - UpgradeStatus: No upgrade log present (probably fresh install) - UserGroups: - - _MarkForUpload: True + * create the ubuntu principal in the EXAMPLE.COM realm with a password of "ubuntu". Note: please make sure your local ubuntu user uses a different password, or has none at all. When we login succesfully later, we want to be sure it was via kerberos, and not the local user. + $ sudo kadmin.local -q "addprinc -pw ubuntu ubu...@example.com" + + * configure the krb5 libraries to use a fake realm by default + - edit /etc/krb5.conf + - replace the default_realm value in [libdefaults] with LOCALHOST (just so it fails quickly): + [libdefaults] + default_realm = LOCALHOST + - do not restart the kerberos services + + * Create the sssd configuration file /etc/sssd/sssd.conf with these contents: + """ + [sssd] + config_file_version = 2 + services = pam + domains = kerberos.example.com + + [pam] + + [domain/kerberos.example.com] + id_provider = proxy + proxy_lib_name = files + auth_provider = krb5 + krb5_server = YOURADDRESS + krb5_realm = EXAMPLE.COM + """ + - replace YOURADDRESS with the IP of your test container or VM (do not use 127.0.0.1) + - IMPORTANT: sudo chmod 0600 /etc/sssd/sssd.conf + + * Start sssd: + $ sudo systemctl start sssd.service + + * in one terminal: + $ tail -f /var/log/syslog + + * in another terminal, run: + $ sudo login (or just become root and run login) + + * attempt to login as ubuntu with the kerberos password created earlier "ubuntu"): + $ sudo login + xenial-sssd-krb5-locator-1664566 login: ubuntu + Password: + + Login incorrect + + * observe that syslog complains about not finding the the KDC for the EXAMPLE.COM realm: + Jul 21 21:03:40 xenial-sssd-krb5-locator-1664566 [sssd[krb5_child[13628]]]: Cannot find KDC for realm "EXAMPLE.COM" + + * /var/log/auth will report a general PAM error with no specifics + + * install the fixed packages from proposed + + * retry the login as ubuntu: + - login succeeds + - no errors in /var/log/syslog + - /var/log/auth will
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/sssd/+git/sssd/+merge/327922 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Changed in: sssd (Ubuntu Xenial) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Changed in: sssd (Ubuntu Xenial) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
I'll work on this next. ** Changed in: sssd (Ubuntu Xenial) Status: New => Confirmed ** Changed in: sssd (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Xenial) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
I'll work on this next. ** Changed in: sssd (Ubuntu Xenial) Status: New => Confirmed ** Changed in: sssd (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Xenial) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Also affects: sssd (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
** Also affects: sssd (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
Please can this fix be backported to xenial, otherwise AD integration can be quite flakey for the current LTS release and the problem/fix is not immediately obvious. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
This bug was fixed in the package sssd - 1.15.2-1ubuntu1 --- sssd (1.15.2-1ubuntu1) zesty; urgency=medium * Merge from Debian. - new bugfix release sssd (1.15.2-1) unstable; urgency=medium * New upstream release. * control: Demote adcli to sssd-ad suggests. * rules, common.install: Fix sssd_krb5_locator_plugin install path. (LP: #1664566) * control, copyright, watch: Update upstream URLs. * common.install: Add libsss_files and socket activation helper. -- Timo AaltonenThu, 06 Apr 2017 12:45:49 +0300 ** Changed in: sssd (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
You're right, running 'strings /usr/lib/../libkrb5.so.3|grep plugins' shows that it's ../krb5/plugins/libkrb5. For some reason I changed it to plugins/krb5 some years ago, without a bug reference.. oh well, changed it back now, fixed in git. ** Changed in: sssd (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664566] Re: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path)
apport information ** Description changed: Hi, + + I'm on Ubuntu 16.04 LTS, sssd-common 1.13.4-1ubuntu1.1, libkrb5-3 + 1.13.2+dfsg-5. I'm in an environment with several Active Directory sites, each with a domain controller. When remote sites' DCs are unreachable because of a VPN outage, password authentication is slow or fails. tcpdump shows the system is trying to talk to the other sites' domain controllers, and timing out. sssd-common installs the locator plugin at /usr/lib/x86_64-linux- gnu/krb5/plugins/krb5/sssd_krb5_locator_plugin.so. But I can see in strace that Kerberos apps are looking for plugins in /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5 instead (libkrb5 vs krb5). open("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory) As a result, Kerberos doesn't respect SSSD's Active Directory site selection. As a workaround, if I copy /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 to /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5, site selection works as expected. Mailing list ref: https://lists.fedorahosted.org/archives/list/sssd- us...@lists.fedorahosted.org/thread/UUMFE5T376D3NJLNHQSJZAJCPM35KRED/ ** Tags added: apport-collected uec-images xenial ** Description changed: Hi, I'm on Ubuntu 16.04 LTS, sssd-common 1.13.4-1ubuntu1.1, libkrb5-3 1.13.2+dfsg-5. I'm in an environment with several Active Directory sites, each with a domain controller. When remote sites' DCs are unreachable because of a VPN outage, password authentication is slow or fails. tcpdump shows the system is trying to talk to the other sites' domain controllers, and timing out. sssd-common installs the locator plugin at /usr/lib/x86_64-linux- gnu/krb5/plugins/krb5/sssd_krb5_locator_plugin.so. But I can see in strace that Kerberos apps are looking for plugins in /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5 instead (libkrb5 vs krb5). open("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory) As a result, Kerberos doesn't respect SSSD's Active Directory site selection. As a workaround, if I copy /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 to /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5, site selection works as expected. - Mailing list ref: https://lists.fedorahosted.org/archives/list/sssd- - us...@lists.fedorahosted.org/thread/UUMFE5T376D3NJLNHQSJZAJCPM35KRED/ + Mailing list ref: https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/UUMFE5T376D3NJLNHQSJZAJCPM35KRED/ + --- + ApportVersion: 2.20.1-0ubuntu2.4 + Architecture: amd64 + DistroRelease: Ubuntu 16.04 + JournalErrors: + Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. +Users in the 'systemd-journal' group can see all messages. Pass -q to +turn off this notice. + No journal files were opened due to insufficient permissions. + Package: sssd 1.13.4-1ubuntu1.1 + PackageArchitecture: amd64 + ProcEnviron: + TERM=xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR= + LANG=en_US.UTF-8 + SHELL=/bin/bash + ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24 + Tags: xenial uec-images + Uname: Linux 4.4.0-47-generic x86_64 + UpgradeStatus: No upgrade log present (probably fresh install) + UserGroups: + + _MarkForUpload: True ** Attachment added: "Dependencies.txt" https://bugs.launchpad.net/bugs/1664566/+attachment/4818794/+files/Dependencies.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664566 Title: sssd_krb5_locator_plugin.so is not loaded (installed at wrong path) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1664566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs