Bug 733237

Summary: sssd blocks login of ipa-users
Product: [Fedora] Fedora Reporter: Pieter Vogel <pvogel>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: grajaiya, jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: sssd-1.5.13-1.fc15.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 734101 (view as bug list) Environment:
Last Closed: 2011-09-09 01:30:41 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 734101, 748871    
Description Flags
output of "ipa hbacrule-find --all"
debug output none

Description Pieter Vogel 2011-08-25 05:02:34 EDT
Description of problem:
after updating to 1.5.12-1 ipa users can no longer login

Version-Release number of selected component (if applicable):
sssd 1.5.12

How reproducible:

Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works  

Additional info:

#ssh ipauser@localhost
ipauser@localhost's password: 
Connection closed by ::1

with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl]
[be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl]
[child_sig_handler] (4): child [6677] finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain: office.aboveit.nl
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user
Comment 1 Gowrishankar Rajaiyan 2011-08-25 08:16:33 EDT
Hi Pieter,

I could reproduce this when I had an empty hbacsvc group. Could you please check if you have any empty hbac service groups configured, "ipa hbacsvcgroup-find --all" should help you find that. 

If yes, could try authenticating again after removing the empty hbacsvcgroup?
Comment 2 Pieter Vogel 2011-08-26 03:59:09 EDT
Thanks for the quick reply!

There was one sudo group. It was not empty. after removing that one I am still not allowed to log in

#ipa hbacsvcgroup-find --all
0 HBAC service groups matched
Number of entries returned 0

On the ipa-server I got this in my /var/log/krb5kdc.log. 

krb5kdc[26903](info): AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH: ipauser@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required

But that is also there when I downgrade sssd. 

I try today with different HBAC settings.
Comment 3 Gowrishankar Rajaiyan 2011-08-26 08:29:51 EDT
Hi Pieter, 

Thanks for your reply. 

In your bug description I see "[pam_print_data] (4): rhost: localhost", so I guess you are trying to authenticate as "ssh -l user localhost". AFAIK this will fail if you are using hbacrule for sshd service since you cannot add source host or target host as "localhost". 

Could you please try authenticating as "ssh -l ipauser $HOSTNAME" ?

Also, would like to see the output of "ipa hbacrule-find --all"

Thank you.
Comment 4 Pieter Vogel 2011-08-26 08:56:30 EDT
I tried both but did copy the localhost one in this bugzilla.

#ipa hbacrule-find --all

is a lot of output, I attached it.

#ssh -l ipauser $HOSTNAME
ipauser@pvdesk2.office.domain.nl's password:
Connection closed by

The ip-address is off course the ip-address of the desktop
Comment 5 Pieter Vogel 2011-08-26 08:57:49 EDT
Created attachment 520086 [details]
output of "ipa hbacrule-find --all"

output of "ipa hbacrule-find --all"
Comment 6 Stephen Gallagher 2011-08-26 10:29:04 EDT
Would you mind rerunning your original test (without having removed the SUDO service group) with debug_level = 8? Hopefully that will give us a little more information.
Comment 7 Gowrishankar Rajaiyan 2011-08-26 10:55:09 EDT
Hi Pieter, 

I think I reproduced your issue. Thanks for your output of hbacrule's.

Could you please do the following and confirm:

1. ipa hbacrule-remove-host ssh --hostgroups=desktops
2. ipa hbacrule-add-host ssh --hosts=pvdesk2.office.domain.nl
3. Try authenticating from pvdesk2.office.domain.nl as a ipauser.
Comment 8 Pieter Vogel 2011-08-29 05:55:51 EDT
After running 1 and 2 the host is now itself in the ssh hbacrule.

But authenticating is not working. Exit's with the same errors.
Comment 9 Stephen Gallagher 2011-08-29 08:00:23 EDT
Pieter, I identified two bugs in the way we were processing HBAC rules. I've added patches to this scratch build:

Would you please install that build and see if it resolves your issue?
Comment 10 Pieter Vogel 2011-08-29 08:38:18 EDT
Created attachment 520377 [details]
debug output
Comment 11 Pieter Vogel 2011-08-29 08:40:09 EDT
#rpm -qa | grep sssd

#rpm -qa | grep libipa

#ssh -l ipauser pvdesk2.office.domain.nl
ipauser@pvdesk2.office.domain.nl's password: 
Connection closed by

log is in attached debug output
Comment 12 Stephen Gallagher 2011-08-29 09:00:26 EDT
Thanks! That log helped me spot another bug. We were returning an error where we should have been ignoring it instead.

I've created another scratch build for you to test here:

Please tell me whether this resolves your problem.
Comment 13 Pieter Vogel 2011-08-29 09:36:52 EDT
# rpm -qa | grep sssd

# rpm -qa | grep libipa

ssh -l ipauser pvdesk2.office.aboveit.nl
ipauser@pvdesk2.office.domain.nl's password: 
Last login: Mon Aug 29 15:30:26 2011 from pvdesk2.office.domain.nl

It works!

thanks for fixing.
Comment 14 Stephen Gallagher 2011-08-29 09:56:51 EDT
Thanks very much for testing!

I'm going to get this pushed out upstream in SSSD 1.5.13 later today, and it should turn up in an official Fedora update tomorrow.
Comment 15 Fedora Update System 2011-08-29 17:29:30 EDT
sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15 has been submitted as an update for Fedora 15.
Comment 16 Fedora Update System 2011-08-30 21:40:11 EDT
Package sssd-1.5.13-1.fc15.1, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, openchange-0.9-18.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.1 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 openchange-0.9-18.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 17 Fedora Update System 2011-09-06 20:27:20 EDT
Package sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.2 openchange-0.9-18.fc15.2 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 18 Fedora Update System 2011-09-09 01:30:21 EDT
sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5, evolution-mapi-3.0.3-2.fc15, evolution-exchange-3.0.3-1.fc15, evolution-3.0.3-1.fc15, evolution-data-server-3.0.3-1.fc15, gtkhtml3-4.0.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.