Bug 1033133

Summary: "System Error" when invalid ad_access_filter is used
Product: Red Hat Enterprise Linux 7 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, grajaiya, jgalipea, lslebodn, mkosek, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-23.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:43:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kaushik Banerjee 2013-11-21 15:34:44 UTC
Description of problem:
"System Error" when invalid ad_access_filter is used

Version-Release number of selected component (if applicable):
sssd-1.11.2-1.el7

How reproducible:
Always

Steps to Reproduce:
1. Add an invalid search filter like "ad_access_filter = group1_dom1" in sssd.conf

2. Try to login as a user.

Actual results:
Login fails, but system error appears in logs:

(Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]][sdap_access_filter_get_access_done] (0x0020):
sdap_get_generic_send() returned error [5][Input/output error]
(Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]]
[sdap_access_filter_done] (0x0020): Error retrieving access check
result.
(Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]] [ad_access_done]
(0x0040): Error retrieving access check result: Input/output error
(Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4,
Input/output error) [Internal Error (System error)]

Expected results:
Instead of "System Error" print a nicer error message to syslog.

Additional info:

Comment 2 Jakub Hrozek 2013-11-29 11:55:15 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2164

Comment 3 Jakub Hrozek 2014-01-09 11:14:03 UTC
Fixed upstream:
    master: 2a96981a0ac781d01e5bba473409ed2bdf4cd4e0
    sssd-1-11: cb85329bf73f55f6433d3a9194d2b87c631aea4a

Comment 5 Kaushik Banerjee 2014-01-14 17:53:13 UTC
Verified in version 1.11.2-23.el7

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_10: bz 1033133 invalid ad_access_filter
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_permission_denied user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'Bad search filter' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should not contain 'System error' 
:: [   LOG    ] :: Duration: 6s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_10: bz 1033133 invalid ad_access_filter

Comment 6 Ludek Smid 2014-06-13 09:43:34 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.