Hide Forgot
Description of problem: "System Error" when invalid ad_access_filter is used Version-Release number of selected component (if applicable): sssd-1.11.2-1.el7 How reproducible: Always Steps to Reproduce: 1. Add an invalid search filter like "ad_access_filter = group1_dom1" in sssd.conf 2. Try to login as a user. Actual results: Login fails, but system error appears in logs: (Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]][sdap_access_filter_get_access_done] (0x0020): sdap_get_generic_send() returned error [5][Input/output error] (Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]] [sdap_access_filter_done] (0x0020): Error retrieving access check result. (Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]] [ad_access_done] (0x0040): Error retrieving access check result: Input/output error (Thu Nov 21 17:15:07 2013) [sssd[be[sssdad.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, Input/output error) [Internal Error (System error)] Expected results: Instead of "System Error" print a nicer error message to syslog. Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/2164
Fixed upstream: master: 2a96981a0ac781d01e5bba473409ed2bdf4cd4e0 sssd-1-11: cb85329bf73f55f6433d3a9194d2b87c631aea4a
Verified in version 1.11.2-23.el7 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_10: bz 1033133 invalid ad_access_filter :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_permission_denied user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'Bad search filter' :: [ PASS ] :: File '/var/log/sssd/sssd_sssdad.com.log' should not contain 'System error' :: [ LOG ] :: Duration: 6s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_10: bz 1033133 invalid ad_access_filter
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.