Created attachment 1430995 [details] Lists of upgrades and downgrades that cause and remove the bug Description of problem: After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a freeipa 4.5.0 domain. Version-Release number of selected component (if applicable): sssd-1.16.1-3.fc27.x86_64 How reproducible: Happens every time sssd is updated to version 1.16.1-3 Steps to Reproduce: 1. Upgrade to sssd-1.16.1-3.fc27.x86_64 and associated packages 2. Try to ssh to another ipa-joined host that has an SSH host key trusted in ipa Actual results: Running "ssh hostname2.ipa.example.com" prompts the user to accept a new SSH host key. Expected results: No prompt about trusting the host ssh key should appear, because the host key is trusted in ipa already. Additional info: Running "dnf downgrade sssd" resumes the normal behavior of receiving the known_hosts from the freeipa domain.
Just for the record and without spending any time properly trying to reproduce the issue I wonder whether this is related to https://github.com/SSSD/sssd/commit/0f6b5b02afb35caae774ff4d52854a844d49f52e
(In reply to Fabiano Fidêncio from comment #1) > Just for the record and without spending any time properly trying to > reproduce the issue I wonder whether this is related to > https://github.com/SSSD/sssd/commit/0f6b5b02afb35caae774ff4d52854a844d49f52e Ah, no, nevermind. For some reason I got confused with ssh and sudo. I'll setup an environment here and try to reproduce the issue. Meanwhile, would be really nice if the reporter could provide sssd logs with a high enough debug_level set. Please, add debug_level = 9 in both [ssh] and [domain] sections. Also, please, mind to sanitize the logs before uploading it here.
(In reply to bgstack15 from comment #0) > Created attachment 1430995 [details] > Lists of upgrades and downgrades that cause and remove the bug > > Description of problem: > After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file > /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a > freeipa 4.5.0 domain. > I'm so sorry for issues. Could you test following scratch build? https://koji.fedoraproject.org/koji/taskinfo?taskID=26762976
(In reply to Lukas Slebodnik from comment #3) > (In reply to bgstack15 from comment #0) > > Created attachment 1430995 [details] > > Lists of upgrades and downgrades that cause and remove the bug > > > > Description of problem: > > After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file > > /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a > > freeipa 4.5.0 domain. > > > > I'm so sorry for issues. > Could you test following scratch build? > > https://koji.fedoraproject.org/koji/taskinfo?taskID=26762976 Lukas, Thanks for jumping in. May I ask what's the patch you're providing?
Adding back the needinfo to Lukas according to https://bugzilla.redhat.com/show_bug.cgi?id=1574778#c4
Created attachment 1431273 [details] sssd.log since restarting daemon with debug_level=9 dns1.ipa.example.com is the openssh target host, as well as the dns provider on the network.
Created attachment 1431274 [details] sssd_ssh.log
(In reply to Lukas Slebodnik from comment #3) > (In reply to bgstack15 from comment #0) > > Created attachment 1430995 [details] > > Lists of upgrades and downgrades that cause and remove the bug > > > > Description of problem: > > After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file > > /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a > > freeipa 4.5.0 domain. > > > > I'm so sorry for issues. > Could you test following scratch build? > > https://koji.fedoraproject.org/koji/taskinfo?taskID=26762976 I have just tested with the packages from the koji link. I could not figure out a clever way to connect to a dnf repository, so I just downloaded the requisite files manually and used dnf to install them. Running with these packages, my known_hosts populates correctly from ipa! Downgrading: libipa_hbac x86_64 1.16.1-3_bz1574778.fc27 @commandline 86 k libsss_autofs x86_64 1.15.3-5.fc27 fedora 83 k libsss_certmap x86_64 1.15.3-5.fc27 fedora 104 k libsss_idmap x86_64 1.16.1-3_bz1574778.fc27 @commandline 90 k libsss_sudo x86_64 1.15.3-5.fc27 fedora 81 k python3-libipa_hbac x86_64 1.16.1-3_bz1574778.fc27 @commandline 78 k python3-sssdconfig noarch 1.16.1-3_bz1574778.fc27 @commandline 103 k sssd x86_64 1.16.1-3_bz1574778.fc27 @commandline 78 k sssd-ad x86_64 1.16.1-3_bz1574778.fc27 @commandline 208 k sssd-client x86_64 1.16.1-3_bz1574778.fc27 @commandline 146 k sssd-common x86_64 1.16.1-3_bz1574778.fc27 @commandline 1.3 M sssd-common-pac x86_64 1.16.1-3_bz1574778.fc27 @commandline 150 k sssd-ipa x86_64 1.16.1-3_bz1574778.fc27 @commandline 299 k sssd-kcm x86_64 1.16.1-3_bz1574778.fc27 @commandline 196 k sssd-krb5 x86_64 1.16.1-3_bz1574778.fc27 @commandline 119 k sssd-krb5-common x86_64 1.16.1-3_bz1574778.fc27 @commandline 156 k sssd-ldap x86_64 1.16.1-3_bz1574778.fc27 @commandline 171 k sssd-nfs-idmap x86_64 1.15.3-5.fc27 fedora 79 k sssd-proxy x86_64 1.16.1-3_bz1574778.fc27 @commandline 114 k
Okay, that's good to know. Lukáš removed Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch on his build, which is: https://github.com/SSSD/sssd/commit/cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63 Pavel, would you mind taking a look on this?
Last but not least ... Lukáš, nice catch!
*** Bug 1575264 has been marked as a duplicate of this bug. ***
sssd-1.16.1-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-29e4d12fa1
sssd-1.16.1-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-900d2b7675
sssd-1.16.1-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7efba18539
sssd-1.16.1-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-900d2b7675
sssd-1.16.1-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-29e4d12fa1
sssd-1.16.1-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7efba18539
sssd-1.16.1-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.16.1-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.16.1-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Clearing need info. I will work on the original ticket which commit was reverted.