Bug 1574778 - sssd fails to download known_hosts from freeipa
Summary: sssd fails to download known_hosts from freeipa
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 27
Hardware: x86_64
OS: Unspecified
high
urgent
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Regression
: 1575264 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-04 02:48 UTC by bgstack15
Modified: 2018-05-21 12:45 UTC (History)
13 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-05-09 21:25:41 UTC


Attachments (Terms of Use)
Lists of upgrades and downgrades that cause and remove the bug (3.00 KB, text/plain)
2018-05-04 02:48 UTC, bgstack15
no flags Details
sssd.log since restarting daemon with debug_level=9 (101.60 KB, text/plain)
2018-05-04 11:12 UTC, bgstack15
no flags Details
sssd_ssh.log (196.44 KB, text/plain)
2018-05-04 11:13 UTC, bgstack15
no flags Details

Description bgstack15 2018-05-04 02:48:10 UTC
Created attachment 1430995 [details]
Lists of upgrades and downgrades that cause and remove the bug

Description of problem:
After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a freeipa 4.5.0 domain.

Version-Release number of selected component (if applicable):
sssd-1.16.1-3.fc27.x86_64

How reproducible:
Happens every time sssd is updated to version 1.16.1-3

Steps to Reproduce:
1. Upgrade to sssd-1.16.1-3.fc27.x86_64 and associated packages
2. Try to ssh to another ipa-joined host that has an SSH host key trusted in ipa

Actual results:
Running "ssh hostname2.ipa.example.com" prompts the user to accept a new SSH host key.

Expected results:
No prompt about trusting the host ssh key should appear, because the host key is trusted in ipa already.

Additional info:
Running "dnf downgrade sssd" resumes the normal behavior of receiving the known_hosts from the freeipa domain.

Comment 1 Fabiano Fidêncio 2018-05-04 06:53:40 UTC
Just for the record and without spending any time properly trying to reproduce the issue I wonder whether this is related to https://github.com/SSSD/sssd/commit/0f6b5b02afb35caae774ff4d52854a844d49f52e

Comment 2 Fabiano Fidêncio 2018-05-04 06:58:46 UTC
(In reply to Fabiano Fidêncio from comment #1)
> Just for the record and without spending any time properly trying to
> reproduce the issue I wonder whether this is related to
> https://github.com/SSSD/sssd/commit/0f6b5b02afb35caae774ff4d52854a844d49f52e

Ah, no, nevermind. For some reason I got confused with ssh and sudo.
I'll setup an environment here and try to reproduce the issue.

Meanwhile, would be really nice if the reporter could provide sssd logs with a high enough debug_level set.

Please, add debug_level = 9 in both [ssh] and [domain] sections. Also, please, mind to sanitize the logs before uploading it here.

Comment 3 Lukas Slebodnik 2018-05-04 09:00:31 UTC
(In reply to bgstack15 from comment #0)
> Created attachment 1430995 [details]
> Lists of upgrades and downgrades that cause and remove the bug
> 
> Description of problem:
> After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file
> /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a
> freeipa 4.5.0 domain.
> 

I'm so sorry for issues.
Could you test following scratch build?

https://koji.fedoraproject.org/koji/taskinfo?taskID=26762976

Comment 4 Fabiano Fidêncio 2018-05-04 09:09:33 UTC
(In reply to Lukas Slebodnik from comment #3)
> (In reply to bgstack15 from comment #0)
> > Created attachment 1430995 [details]
> > Lists of upgrades and downgrades that cause and remove the bug
> > 
> > Description of problem:
> > After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file
> > /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a
> > freeipa 4.5.0 domain.
> > 
> 
> I'm so sorry for issues.
> Could you test following scratch build?
> 
> https://koji.fedoraproject.org/koji/taskinfo?taskID=26762976

Lukas,

Thanks for jumping in. May I ask what's the patch you're providing?

Comment 5 Fabiano Fidêncio 2018-05-04 09:19:06 UTC
Adding back the needinfo to Lukas according to https://bugzilla.redhat.com/show_bug.cgi?id=1574778#c4

Comment 6 bgstack15 2018-05-04 11:12 UTC
Created attachment 1431273 [details]
sssd.log since restarting daemon with debug_level=9

dns1.ipa.example.com is the openssh target host, as well as the dns provider on the network.

Comment 7 bgstack15 2018-05-04 11:13 UTC
Created attachment 1431274 [details]
sssd_ssh.log

Comment 8 bgstack15 2018-05-04 11:41:16 UTC
(In reply to Lukas Slebodnik from comment #3)
> (In reply to bgstack15 from comment #0)
> > Created attachment 1430995 [details]
> > Lists of upgrades and downgrades that cause and remove the bug
> > 
> > Description of problem:
> > After upgrading to sssd 1.16.1-3.fc27 and its dependencies, file
> > /var/lib/sss/pubconf/known_hosts is empty. The fc27s hosts are joined to a
> > freeipa 4.5.0 domain.
> > 
> 
> I'm so sorry for issues.
> Could you test following scratch build?
> 
> https://koji.fedoraproject.org/koji/taskinfo?taskID=26762976

I have just tested with the packages from the koji link. I could not figure out a clever way to connect to a dnf repository, so I just downloaded the requisite files manually and used dnf to install them.

Running with these packages, my known_hosts populates correctly from ipa!

Downgrading:
 libipa_hbac            x86_64    1.16.1-3_bz1574778.fc27       @commandline     86 k
 libsss_autofs          x86_64    1.15.3-5.fc27                 fedora           83 k
 libsss_certmap         x86_64    1.15.3-5.fc27                 fedora          104 k
 libsss_idmap           x86_64    1.16.1-3_bz1574778.fc27       @commandline     90 k
 libsss_sudo            x86_64    1.15.3-5.fc27                 fedora           81 k
 python3-libipa_hbac    x86_64    1.16.1-3_bz1574778.fc27       @commandline     78 k
 python3-sssdconfig     noarch    1.16.1-3_bz1574778.fc27       @commandline    103 k
 sssd                   x86_64    1.16.1-3_bz1574778.fc27       @commandline     78 k
 sssd-ad                x86_64    1.16.1-3_bz1574778.fc27       @commandline    208 k
 sssd-client            x86_64    1.16.1-3_bz1574778.fc27       @commandline    146 k
 sssd-common            x86_64    1.16.1-3_bz1574778.fc27       @commandline    1.3 M
 sssd-common-pac        x86_64    1.16.1-3_bz1574778.fc27       @commandline    150 k
 sssd-ipa               x86_64    1.16.1-3_bz1574778.fc27       @commandline    299 k
 sssd-kcm               x86_64    1.16.1-3_bz1574778.fc27       @commandline    196 k
 sssd-krb5              x86_64    1.16.1-3_bz1574778.fc27       @commandline    119 k
 sssd-krb5-common       x86_64    1.16.1-3_bz1574778.fc27       @commandline    156 k
 sssd-ldap              x86_64    1.16.1-3_bz1574778.fc27       @commandline    171 k
 sssd-nfs-idmap         x86_64    1.15.3-5.fc27                 fedora           79 k
 sssd-proxy             x86_64    1.16.1-3_bz1574778.fc27       @commandline    114 k

Comment 9 Fabiano Fidêncio 2018-05-04 11:49:04 UTC
Okay, that's good to know.

Lukáš removed Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch on his build, which is: https://github.com/SSSD/sssd/commit/cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63

Pavel, would you mind taking a look on this?

Comment 10 Fabiano Fidêncio 2018-05-04 11:52:03 UTC
Last but not least ... Lukáš, nice catch!

Comment 11 Lukas Slebodnik 2018-05-05 17:03:00 UTC
*** Bug 1575264 has been marked as a duplicate of this bug. ***

Comment 12 Fedora Update System 2018-05-05 20:26:49 UTC
sssd-1.16.1-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-29e4d12fa1

Comment 13 Fedora Update System 2018-05-05 20:30:47 UTC
sssd-1.16.1-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-900d2b7675

Comment 14 Fedora Update System 2018-05-05 20:34:59 UTC
sssd-1.16.1-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7efba18539

Comment 15 Fedora Update System 2018-05-06 23:42:30 UTC
sssd-1.16.1-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-900d2b7675

Comment 16 Fedora Update System 2018-05-07 10:47:21 UTC
sssd-1.16.1-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-29e4d12fa1

Comment 17 Fedora Update System 2018-05-07 12:47:29 UTC
sssd-1.16.1-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7efba18539

Comment 18 Fedora Update System 2018-05-09 21:25:41 UTC
sssd-1.16.1-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2018-05-13 20:17:29 UTC
sssd-1.16.1-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2018-05-14 18:01:58 UTC
sssd-1.16.1-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Pavel Březina 2018-05-21 12:45:36 UTC
Clearing need info. I will work on the original ticket which commit was reverted.


Note You need to log in before you can comment on or make changes to this bug.