Bug 733237 - sssd blocks login of ipa-users
Summary: sssd blocks login of ipa-users
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 15
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 734101 748871
TreeView+ depends on / blocked
 
Reported: 2011-08-25 09:02 UTC by Pieter Vogel
Modified: 2011-10-25 14:08 UTC (History)
5 users (show)

Fixed In Version: sssd-1.5.13-1.fc15.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 734101 (view as bug list)
Environment:
Last Closed: 2011-09-09 05:30:41 UTC


Attachments (Terms of Use)
output of "ipa hbacrule-find --all" (4.00 KB, text/plain)
2011-08-26 12:57 UTC, Pieter Vogel
no flags Details
debug output (44.35 KB, text/x-log)
2011-08-29 12:38 UTC, Pieter Vogel
no flags Details


Links
System ID Priority Status Summary Last Updated
FedoraHosted SSSD 979 None None None Never

Description Pieter Vogel 2011-08-25 09:02:34 UTC
Description of problem:
after updating to 1.5.12-1 ipa users can no longer login

Version-Release number of selected component (if applicable):
sssd 1.5.12

How reproducible:
always

Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works  


Additional info:

#ssh ipauser@localhost
ipauser@localhost's password: 
Connection closed by ::1

with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl]
[be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl]
[child_sig_handler] (4): child [6677] finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain: office.aboveit.nl
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user

Comment 1 Gowrishankar Rajaiyan 2011-08-25 12:16:33 UTC
Hi Pieter,

I could reproduce this when I had an empty hbacsvc group. Could you please check if you have any empty hbac service groups configured, "ipa hbacsvcgroup-find --all" should help you find that. 

If yes, could try authenticating again after removing the empty hbacsvcgroup?

Comment 2 Pieter Vogel 2011-08-26 07:59:09 UTC
Thanks for the quick reply!

There was one sudo group. It was not empty. after removing that one I am still not allowed to log in


#ipa hbacsvcgroup-find --all
-----------------------------
0 HBAC service groups matched
-----------------------------
----------------------------
Number of entries returned 0
----------------------------


On the ipa-server I got this in my /var/log/krb5kdc.log. 

krb5kdc[26903](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.52.19: NEEDED_PREAUTH: ipauser@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required

But that is also there when I downgrade sssd. 

I try today with different HBAC settings.

Comment 3 Gowrishankar Rajaiyan 2011-08-26 12:29:51 UTC
Hi Pieter, 

Thanks for your reply. 

In your bug description I see "[pam_print_data] (4): rhost: localhost", so I guess you are trying to authenticate as "ssh -l user localhost". AFAIK this will fail if you are using hbacrule for sshd service since you cannot add source host or target host as "localhost". 

Could you please try authenticating as "ssh -l ipauser $HOSTNAME" ?

Also, would like to see the output of "ipa hbacrule-find --all"

Thank you.

Comment 4 Pieter Vogel 2011-08-26 12:56:30 UTC
I tried both but did copy the localhost one in this bugzilla.


#ipa hbacrule-find --all

is a lot of output, I attached it.


#ssh -l ipauser $HOSTNAME
ipauser@pvdesk2.office.domain.nl's password:
Connection closed by 10.183.52.19


The ip-address is off course the ip-address of the desktop

Comment 5 Pieter Vogel 2011-08-26 12:57:49 UTC
Created attachment 520086 [details]
output of "ipa hbacrule-find --all"

output of "ipa hbacrule-find --all"

Comment 6 Stephen Gallagher 2011-08-26 14:29:04 UTC
Would you mind rerunning your original test (without having removed the SUDO service group) with debug_level = 8? Hopefully that will give us a little more information.

Comment 7 Gowrishankar Rajaiyan 2011-08-26 14:55:09 UTC
Hi Pieter, 

I think I reproduced your issue. Thanks for your output of hbacrule's.

Could you please do the following and confirm:

1. ipa hbacrule-remove-host ssh --hostgroups=desktops
2. ipa hbacrule-add-host ssh --hosts=pvdesk2.office.domain.nl
3. Try authenticating from pvdesk2.office.domain.nl as a ipauser.

Comment 8 Pieter Vogel 2011-08-29 09:55:51 UTC
After running 1 and 2 the host is now itself in the ssh hbacrule.

But authenticating is not working. Exit's with the same errors.

Comment 9 Stephen Gallagher 2011-08-29 12:00:23 UTC
Pieter, I identified two bugs in the way we were processing HBAC rules. I've added patches to this scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=3308550

Would you please install that build and see if it resolves your issue?

Comment 10 Pieter Vogel 2011-08-29 12:38:18 UTC
Created attachment 520377 [details]
debug output

Comment 11 Pieter Vogel 2011-08-29 12:40:09 UTC
#rpm -qa | grep sssd
sssd-1.5.12-1.fc15.1.x86_64
sssd-tools-1.5.12-1.fc15.1.x86_64
sssd-client-1.5.12-1.fc15.1.x86_64


#rpm -qa | grep libipa
libipa_hbac-1.5.12-1.fc15.1.x86_64

#ssh -l ipauser pvdesk2.office.domain.nl
ipauser@pvdesk2.office.domain.nl's password: 
Connection closed by 10.183.52.19

log is in attached debug output

Comment 12 Stephen Gallagher 2011-08-29 13:00:26 UTC
Thanks! That log helped me spot another bug. We were returning an error where we should have been ignoring it instead.

I've created another scratch build for you to test here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=3308830

Please tell me whether this resolves your problem.

Comment 13 Pieter Vogel 2011-08-29 13:36:52 UTC
# rpm -qa | grep sssd
sssd-client-1.5.12-1.fc15.2.x86_64
sssd-1.5.12-1.fc15.2.x86_64
sssd-tools-1.5.12-1.fc15.2.x86_64

# rpm -qa | grep libipa
libipa_hbac-1.5.12-1.fc15.2.x86_64

ssh -l ipauser pvdesk2.office.aboveit.nl
ipauser@pvdesk2.office.domain.nl's password: 
Last login: Mon Aug 29 15:30:26 2011 from pvdesk2.office.domain.nl


It works!

thanks for fixing.

Comment 14 Stephen Gallagher 2011-08-29 13:56:51 UTC
Thanks very much for testing!

I'm going to get this pushed out upstream in SSSD 1.5.13 later today, and it should turn up in an official Fedora update tomorrow.

Comment 15 Fedora Update System 2011-08-29 21:29:30 UTC
sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15

Comment 16 Fedora Update System 2011-08-31 01:40:11 UTC
Package sssd-1.5.13-1.fc15.1, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, openchange-0.9-18.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.1 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 openchange-0.9-18.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.5,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2011-09-07 00:27:20 UTC
Package sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.2 openchange-0.9-18.fc15.2 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/sssd-1.5.13-1.fc15.2,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.2,samba4-4.0.0-25.alpha11.fc15.5,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2011-09-09 05:30:21 UTC
sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5, evolution-mapi-3.0.3-2.fc15, evolution-exchange-3.0.3-1.fc15, evolution-3.0.3-1.fc15, evolution-data-server-3.0.3-1.fc15, gtkhtml3-4.0.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.