Bug 974033

Summary: sssd could not initialize backend when setup with obfuscated_password and a base64 encoded password
Product: Red Hat Enterprise Linux 5 Reporter: Amith <apeetham>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED DUPLICATE QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.10CC: apeetham, grajaiya, jgalipea, lslebodn, okos, pbrezina
Target Milestone: rcKeywords: Reopened
Target Release: ---Flags: apeetham: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-26 11:11:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amith 2013-06-13 10:25:14 UTC 
Description of problem:
sssd fails to start sssd_be, sssd_nss and sssd_pam processes when "ldap_default_authtok_type = obfuscated_password" and "ldap_default_authtok = U2VjcmV0MTIz" 

Version-Release number of selected component (if applicable):
sssd-1.5.1-68.el5

How reproducible:
Always

Steps to Reproduce:
1. Setup the domain section of sssd.conf as given below: 

[domain/default]
ldap_schema = rfc2307
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=Directory Manager
debug_level = 9
ldap_uri = ldap://SERVER
cache_credentials = False
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc 
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = U2VjcmV0MTIz

2. Use a base64 encoded password with parameter "ldap_default_authtok".

3. Start the sssd service and list the processes.

# ps -ef | grep sssd
root     29742     1  0 19:20 ?        00:00:00 /usr/sbin/sssd -f -D 

Actual results:
SSSD does not initialize all the backend processes.

Expected results:
Backed process should be running.

Additional info:

See the relevant log below:

(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [krb5_try_kdcip] (4): No KDC found in configuration, trying legacy option
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [ldap_get_options] (9): Found obfuscated password, trying to convert to cleartext.
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [sss_password_decrypt] (8): Read method: 25939
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [sss_password_decrypt] (8): Read bufsize: 29283
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [get_crypto_mech_data] (1): Unsupported cipher type
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [ldap_get_options] (1): Cannot convert the obfuscated password back to cleartext
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [load_backend_module] (0): Error (22) in module (ldap) initialization (sssm_ldap_id_init)!
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [be_process_init] (0): fatal error initializing data providers
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [main] (0): Could not initialize backend [22]
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [sbus_remove_watch] (8): 0x18fcf3c0/0x18fcf0b0
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [remove_socket_symlink] (9): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_default.29819]
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [remove_socket_symlink] (9): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_default.29819]
(Mon Jun 10 19:22:05 2013) [sssd[be[default]]] [remove_socket_symlink] (9): Removed the symlink
Comment 1 Jakub Hrozek 2013-06-18 07:21:30 UTC 
Ondra will take a look
Comment 2 Ondrej Kos 2013-06-20 09:12:25 UTC 
Hi,

This is caused by misconfiguration, the backend should not start, meaning the sssd itself should fail.

*** This bug has been marked as a duplicate of bug 974036 ***
Comment 3 Jakub Hrozek 2013-06-20 10:48:18 UTC 
That might not be the issue, please check if the obfuscation works with 5.10. Amith was reporting that the cleartext password worked, but not obfuscated with the latest packages.
Comment 4 Ondrej Kos 2013-06-20 12:27:53 UTC 
The testcase was supposed to fail, the provided obfuscated password is not generated by sss_obfuscate, but directly through base64, and is not right. This case should only detect the following line:

[ldap_get_options] (1): Cannot convert the obfuscated password back to cleartext

and quit as success, however, it failed. The probable cause is that the main sssd process is not killed, targeting https://bugzilla.redhat.com/show_bug.cgi?id=974036

Setting needinfo flag to clarify we're waiting for the results of next test build (after mentioned BZ 974036 will be VERIFIED)
Comment 5 Jakub Hrozek 2013-06-25 11:39:11 UTC 
Amith, I've built the latest packages. Can you check if this bug went away with the latest build?
Comment 6 Amith 2013-06-26 08:57:34 UTC 
Jakub, 
Yes the bug is fixed and i verified BZ- https://bugzilla.redhat.com/show_bug.cgi?id=974036 on the latest build - sssd-1.5.1-69.el5

As expected, SSSD core process fails to start if the sssd.conf is misconfigured.
Comment 7 Jakub Hrozek 2013-06-26 11:11:53 UTC 
Great, we can mark it as a duplicate then.

Thank you for testing!

*** This bug has been marked as a duplicate of bug 974036 ***