Bug 733663
Summary: | Authentication fails when there exists an empty hbacsvcgroup. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> | ||||
Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> | ||||
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.2 | CC: | benl, grajaiya, jgalipea, jhrozek, kbanerje, prc | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | sssd-1.5.1-49.el6 | Doc Type: | Bug Fix | ||||
Doc Text: |
Do not document
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 748872 (view as bug list) | Environment: | |||||
Last Closed: | 2011-12-06 16:39:45 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 748872 | ||||||
Attachments: |
|
Upstream ticket: https://fedorahosted.org/sssd/ticket/981 [root@bumblebee ~]# ipa hbacrule-find ------------------- 1 HBAC rule matched ------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- [root@bumblebee ~]# ipa hbacsvcgroup-find ----------------------------- 3 HBAC service groups matched ----------------------------- Service group name: ftp Description: Default group of ftp related services Member HBAC service: ftp, proftpd, pure-ftpd, vsftpd, gssftp Service group name: grp1 Description: grp1 Service group name: Sudo Description: Default group of Sudo related services Member HBAC service: sudo, sudo-i ---------------------------- Number of entries returned 3 ---------------------------- /var/log/secure: Oct 3 08:40:29 bumblebee sshd[6312]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=mudflap.lab.eng.pnq.redhat.com user=shanks Oct 3 08:40:30 bumblebee sshd[6312]: Accepted password for shanks from 10.65.201.66 port 44746 ssh2 Oct 3 08:40:30 bumblebee sshd[6312]: pam_unix(sshd:session): session opened for user shanks by (uid=0) Verified. # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 53.el6 Build Date: Fri 30 Sep 2011 10:10:28 AM EDT Install Date: Mon 03 Oct 2011 08:30:33 AM EDT Build Host: hs20-bc2-3.build.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-53.el6.src.rpm Size : 3551489 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1529.html |
Created attachment 520076 [details] Complete sssd domain log Description of problem: Authentication fails when there exists an empty hbacsvcgroup. Version-Release number of selected component (if applicable): sssd-1.5.13-0.20110823T0331z.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a ipa user "user1" 2. From client make sure you are able to login using ssh. 3. Create an empty hbacsvcgroup # ipa hbacsvcgroup-add grp1 --desc=grp1 ------------------------------- Added HBAC service group "grp1" ------------------------------- Service group name: grp1 Description: grp1 4. Try authenticating again as "user1". Actual results: Authentication now fails for user1. /var/log/secure: Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1 Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1 Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error) Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2 Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration sssd domain log: (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services: [2][No such file or directory] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing! Expected results: Authentication should not fail. Additional info: [root@bumblebee ~]# ipa hbacsvcgroup-find --all ----------------------------- 2 HBAC service groups matched ----------------------------- dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service group name: grp1 Description: grp1 ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service group name: Sudo Description: Default group of Sudo related services ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b member_hbacsvc: sudo, sudo-i objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top ---------------------------- Number of entries returned 2 ---------------------------- # ipa hbacrule-find --all ------------------- 1 HBAC rule matched ------------------- dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE accessruletype: allow ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b objectclass: ipaassociation, ipahbacrule ---------------------------- Number of entries returned 1 ---------------------------- /etc/sssd/sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = lab.eng.pnq.redhat.com [nss] [pam] [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, bumblebee.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9