This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 733237 - sssd blocks login of ipa-users
sssd blocks login of ipa-users
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
Depends On:
Blocks: 734101 748871
  Show dependency treegraph
Reported: 2011-08-25 05:02 EDT by Pieter Vogel
Modified: 2011-10-25 10:08 EDT (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.5.13-1.fc15.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 734101 (view as bug list)
Last Closed: 2011-09-09 01:30:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
output of "ipa hbacrule-find --all" (4.00 KB, text/plain)
2011-08-26 08:57 EDT, Pieter Vogel
no flags Details
debug output (44.35 KB, text/x-log)
2011-08-29 08:38 EDT, Pieter Vogel
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
FedoraHosted SSSD 979 None None None Never

  None (edit)
Description Pieter Vogel 2011-08-25 05:02:34 EDT
Description of problem:
after updating to 1.5.12-1 ipa users can no longer login

Version-Release number of selected component (if applicable):
sssd 1.5.12

How reproducible:

Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works  

Additional info:

#ssh ipauser@localhost
ipauser@localhost's password: 
Connection closed by ::1

with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [0][]
[be_pam_handler_callback] (4): Sent result [0][]
[child_sig_handler] (4): child [6677] finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain:
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user
Comment 1 Gowrishankar Rajaiyan 2011-08-25 08:16:33 EDT
Hi Pieter,

I could reproduce this when I had an empty hbacsvc group. Could you please check if you have any empty hbac service groups configured, "ipa hbacsvcgroup-find --all" should help you find that. 

If yes, could try authenticating again after removing the empty hbacsvcgroup?
Comment 2 Pieter Vogel 2011-08-26 03:59:09 EDT
Thanks for the quick reply!

There was one sudo group. It was not empty. after removing that one I am still not allowed to log in

#ipa hbacsvcgroup-find --all
0 HBAC service groups matched
Number of entries returned 0

On the ipa-server I got this in my /var/log/krb5kdc.log. 

krb5kdc[26903](info): AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH: ipauser@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required

But that is also there when I downgrade sssd. 

I try today with different HBAC settings.
Comment 3 Gowrishankar Rajaiyan 2011-08-26 08:29:51 EDT
Hi Pieter, 

Thanks for your reply. 

In your bug description I see "[pam_print_data] (4): rhost: localhost", so I guess you are trying to authenticate as "ssh -l user localhost". AFAIK this will fail if you are using hbacrule for sshd service since you cannot add source host or target host as "localhost". 

Could you please try authenticating as "ssh -l ipauser $HOSTNAME" ?

Also, would like to see the output of "ipa hbacrule-find --all"

Thank you.
Comment 4 Pieter Vogel 2011-08-26 08:56:30 EDT
I tried both but did copy the localhost one in this bugzilla.

#ipa hbacrule-find --all

is a lot of output, I attached it.

#ssh -l ipauser $HOSTNAME's password:
Connection closed by

The ip-address is off course the ip-address of the desktop
Comment 5 Pieter Vogel 2011-08-26 08:57:49 EDT
Created attachment 520086 [details]
output of "ipa hbacrule-find --all"

output of "ipa hbacrule-find --all"
Comment 6 Stephen Gallagher 2011-08-26 10:29:04 EDT
Would you mind rerunning your original test (without having removed the SUDO service group) with debug_level = 8? Hopefully that will give us a little more information.
Comment 7 Gowrishankar Rajaiyan 2011-08-26 10:55:09 EDT
Hi Pieter, 

I think I reproduced your issue. Thanks for your output of hbacrule's.

Could you please do the following and confirm:

1. ipa hbacrule-remove-host ssh --hostgroups=desktops
2. ipa hbacrule-add-host ssh
3. Try authenticating from as a ipauser.
Comment 8 Pieter Vogel 2011-08-29 05:55:51 EDT
After running 1 and 2 the host is now itself in the ssh hbacrule.

But authenticating is not working. Exit's with the same errors.
Comment 9 Stephen Gallagher 2011-08-29 08:00:23 EDT
Pieter, I identified two bugs in the way we were processing HBAC rules. I've added patches to this scratch build:

Would you please install that build and see if it resolves your issue?
Comment 10 Pieter Vogel 2011-08-29 08:38:18 EDT
Created attachment 520377 [details]
debug output
Comment 11 Pieter Vogel 2011-08-29 08:40:09 EDT
#rpm -qa | grep sssd

#rpm -qa | grep libipa

#ssh -l ipauser's password: 
Connection closed by

log is in attached debug output
Comment 12 Stephen Gallagher 2011-08-29 09:00:26 EDT
Thanks! That log helped me spot another bug. We were returning an error where we should have been ignoring it instead.

I've created another scratch build for you to test here:

Please tell me whether this resolves your problem.
Comment 13 Pieter Vogel 2011-08-29 09:36:52 EDT
# rpm -qa | grep sssd

# rpm -qa | grep libipa

ssh -l ipauser's password: 
Last login: Mon Aug 29 15:30:26 2011 from

It works!

thanks for fixing.
Comment 14 Stephen Gallagher 2011-08-29 09:56:51 EDT
Thanks very much for testing!

I'm going to get this pushed out upstream in SSSD 1.5.13 later today, and it should turn up in an official Fedora update tomorrow.
Comment 15 Fedora Update System 2011-08-29 17:29:30 EDT
sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15 has been submitted as an update for Fedora 15.,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15
Comment 16 Fedora Update System 2011-08-30 21:40:11 EDT
Package sssd-1.5.13-1.fc15.1, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, openchange-0.9-18.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.1 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 openchange-0.9-18.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.5,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15
then log in and leave karma (feedback).
Comment 17 Fedora Update System 2011-09-06 20:27:20 EDT
Package sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.2 openchange-0.9-18.fc15.2 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.2,samba4-4.0.0-25.alpha11.fc15.5,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15
then log in and leave karma (feedback).
Comment 18 Fedora Update System 2011-09-09 01:30:21 EDT
sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5, evolution-mapi-3.0.3-2.fc15, evolution-exchange-3.0.3-1.fc15, evolution-3.0.3-1.fc15, evolution-data-server-3.0.3-1.fc15, gtkhtml3-4.0.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.