Bug 1454559
| Summary: | python-sssdconfig doesn't parse hexadecimal debug_level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Amith <apeetham> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | apeetham, fidencio, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://faf.lab.eng.brq.redhat.com/faf/reports/bthash/c5890d5ad2a56b029bec2e4e54ffff1725885aaa/ | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.16.0-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 17:11:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Steeve Goveas
2017-05-23 04:16:08 UTC
I'm switching component to sssd since this is a bug in sssd config api.
I can reproduce it by having debug_level = 0x3ff0 in [pam] section of sssd.conf. Authconfig method writeSSSDPAM calls "sssdConfig.get_service('pam')" which internally call "set_option" which triggers this invalid type expection since it expect integer but read string. Authconfig does not manipulate debug_level option itself.
Agree that's bug in python-sssdconfig and definition of type for debug_level. It looks line "int" is considered just a decimal number and not hexa-decimal number e.g. "0x3ff0" Upstream ticket: https://pagure.io/SSSD/sssd/issue/3410 master: * fca26b76f23ee4457d6796b19892ed97362b6c8d * 6df5b36008fef9c1f6dcf8f31af033a467e744c7 sssd-1-14: * 712f1cc9acb8b71e6906d7a168a045920d491d96 * facc24ec969087bd20e58636d263553ccc97ab4e sssd-1-13: * 5de29e378bc7f44874626c1db954fc403aaec5d6 * 9e896d643c5524b78fb0a2fa7de0e4675f524731 This crash caused the authentication failures in "cached_auth_timeout" test suite. Reason being the PAM files which were not configured with pam_sss.so modules. I had to manually configure the /etc/pam.d/system-auth and /etc/pam.d/password-auth files to rectify the failures. This issue was not seen with build sssd-1.15.1-1.el7.x86_64 as we had a successful beaker run -- https://beaker.engineering.redhat.com/jobs/1759805 Looks like a regression after build sssd-1.15.1-1. It is not a regression because hexadecimal numbers for debug_level never worked with python-sssdconfig in services sections. They worked just in domain sections. Yes, you are right. I executed another run with "debug_level = 9" in PAM section, and the SSSD crash disappeared. We have always executed this testsuite with "debug_level=0xFFF0" in PAM section and strangely never seen a crash prior to build sssd-1.15.1-1 and that is why i marked it as "Regression". Thank you. (In reply to Amith from comment #9) > Yes, you are right. I executed another run with "debug_level = 9" in PAM > section, and the SSSD crash disappeared. > We have always executed this testsuite with "debug_level=0xFFF0" in PAM > section and strangely never seen a crash prior to build sssd-1.15.1-1 and > that is why i marked it as "Regression". > > Thank you. As you can see in description of ticket; python-sssdocnfig is used by authconfig. And previously authconfig dif not set anything in "[pam]" section. Therefore you could not hit this bug. BTW it is already fixed and covered by unit test in upstream since 2017-05-29. I have not idea why it was not backported to downstream. Probably it was too late. (In reply to Lukas Slebodnik from comment #10) > BTW it is already fixed and covered by unit test in upstream since > 2017-05-29. I have not idea why it was not backported to downstream. > Probably it was too late. Yes, RHEL was in the exception mode since Thu 2017-05-18 according to the schedule, so at the moment, we are targetting 7.5 with this fix. Verified the bug on SSSD Version : sssd-1.16.0-7.el7.x86_64 This bug is based on one of the crash report generated after the failed execution of cached_auth_timeout test suite. The beaker job failed with a crash due to the execution of "/usr/sbin/authconfig --enablesssd --enablesssdauth --updateall" when "debug_level=0xFFF0" is set in pam section of sssd.conf. Verified this bug by executing beaker job for "cached_auth_timeout" test suite on rhel-7.5 with latest sssd build. Beaker job : https://beaker.engineering.redhat.com/jobs/2171645 Steps in test suite that verifies this bug: 1. The runtest file in this test suite configures sssd.conf as follows: [sssd] config_file_version = 2 services = nss, pam domains = LDAP [pam] debug_level=0xFFF0 pam_id_timeout = 30 offline_failed_login_attempts = 0 offline_failed_login_delay = 5 [domain/LDAP] debug_level=0xFFF0 id_provider = ldap auth_provider = ldap ldap_uri = ldap://$SERVER ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = $DS_BASE_DN cache_credentials = True 2. The pam section in above sssd.conf is set with required debug_level in hexadecimal. The next set of commands execute authconfig which caused crash in the earlier builds. chmod 0600 /etc/sssd/sssd.conf authconfig --enablesssd --enablesssdauth --updateall 3. The beaker job ran successfully without failures or crash, which verifies this bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929 |