Bug 733237 - sssd blocks login of ipa-users
Summary: sssd blocks login of ipa-users
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 15
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 734101 748871
TreeView+ depends on / blocked
Reported: 2011-08-25 09:02 UTC by Pieter Vogel
Modified: 2020-05-02 16:24 UTC (History)
5 users (show)

Fixed In Version: sssd-1.5.13-1.fc15.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 734101 (view as bug list)
Last Closed: 2011-09-09 05:30:41 UTC
Type: ---

Attachments (Terms of Use)
output of "ipa hbacrule-find --all" (4.00 KB, text/plain)
2011-08-26 12:57 UTC, Pieter Vogel
no flags Details
debug output (44.35 KB, text/x-log)
2011-08-29 12:38 UTC, Pieter Vogel
no flags Details

System ID Private Priority Status Summary Last Updated
FedoraHosted SSSD 979 0 None None None Never
Github SSSD sssd issues 2021 0 None None None 2020-05-02 16:24:36 UTC

Description Pieter Vogel 2011-08-25 09:02:34 UTC
Description of problem:
after updating to 1.5.12-1 ipa users can no longer login

Version-Release number of selected component (if applicable):
sssd 1.5.12

How reproducible:

Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works  

Additional info:

#ssh ipauser@localhost
ipauser@localhost's password: 
Connection closed by ::1

with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl]
[be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl]
[child_sig_handler] (4): child [6677] finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain: office.aboveit.nl
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user

Comment 1 Gowrishankar Rajaiyan 2011-08-25 12:16:33 UTC
Hi Pieter,

I could reproduce this when I had an empty hbacsvc group. Could you please check if you have any empty hbac service groups configured, "ipa hbacsvcgroup-find --all" should help you find that. 

If yes, could try authenticating again after removing the empty hbacsvcgroup?

Comment 2 Pieter Vogel 2011-08-26 07:59:09 UTC
Thanks for the quick reply!

There was one sudo group. It was not empty. after removing that one I am still not allowed to log in

#ipa hbacsvcgroup-find --all
0 HBAC service groups matched
Number of entries returned 0

On the ipa-server I got this in my /var/log/krb5kdc.log. 

krb5kdc[26903](info): AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH: ipauser@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required

But that is also there when I downgrade sssd. 

I try today with different HBAC settings.

Comment 3 Gowrishankar Rajaiyan 2011-08-26 12:29:51 UTC
Hi Pieter, 

Thanks for your reply. 

In your bug description I see "[pam_print_data] (4): rhost: localhost", so I guess you are trying to authenticate as "ssh -l user localhost". AFAIK this will fail if you are using hbacrule for sshd service since you cannot add source host or target host as "localhost". 

Could you please try authenticating as "ssh -l ipauser $HOSTNAME" ?

Also, would like to see the output of "ipa hbacrule-find --all"

Thank you.

Comment 4 Pieter Vogel 2011-08-26 12:56:30 UTC
I tried both but did copy the localhost one in this bugzilla.

#ipa hbacrule-find --all

is a lot of output, I attached it.

#ssh -l ipauser $HOSTNAME
ipauser@pvdesk2.office.domain.nl's password:
Connection closed by

The ip-address is off course the ip-address of the desktop

Comment 5 Pieter Vogel 2011-08-26 12:57:49 UTC
Created attachment 520086 [details]
output of "ipa hbacrule-find --all"

output of "ipa hbacrule-find --all"

Comment 6 Stephen Gallagher 2011-08-26 14:29:04 UTC
Would you mind rerunning your original test (without having removed the SUDO service group) with debug_level = 8? Hopefully that will give us a little more information.

Comment 7 Gowrishankar Rajaiyan 2011-08-26 14:55:09 UTC
Hi Pieter, 

I think I reproduced your issue. Thanks for your output of hbacrule's.

Could you please do the following and confirm:

1. ipa hbacrule-remove-host ssh --hostgroups=desktops
2. ipa hbacrule-add-host ssh --hosts=pvdesk2.office.domain.nl
3. Try authenticating from pvdesk2.office.domain.nl as a ipauser.

Comment 8 Pieter Vogel 2011-08-29 09:55:51 UTC
After running 1 and 2 the host is now itself in the ssh hbacrule.

But authenticating is not working. Exit's with the same errors.

Comment 9 Stephen Gallagher 2011-08-29 12:00:23 UTC
Pieter, I identified two bugs in the way we were processing HBAC rules. I've added patches to this scratch build:

Would you please install that build and see if it resolves your issue?

Comment 10 Pieter Vogel 2011-08-29 12:38:18 UTC
Created attachment 520377 [details]
debug output

Comment 11 Pieter Vogel 2011-08-29 12:40:09 UTC
#rpm -qa | grep sssd

#rpm -qa | grep libipa

#ssh -l ipauser pvdesk2.office.domain.nl
ipauser@pvdesk2.office.domain.nl's password: 
Connection closed by

log is in attached debug output

Comment 12 Stephen Gallagher 2011-08-29 13:00:26 UTC
Thanks! That log helped me spot another bug. We were returning an error where we should have been ignoring it instead.

I've created another scratch build for you to test here:

Please tell me whether this resolves your problem.

Comment 13 Pieter Vogel 2011-08-29 13:36:52 UTC
# rpm -qa | grep sssd

# rpm -qa | grep libipa

ssh -l ipauser pvdesk2.office.aboveit.nl
ipauser@pvdesk2.office.domain.nl's password: 
Last login: Mon Aug 29 15:30:26 2011 from pvdesk2.office.domain.nl

It works!

thanks for fixing.

Comment 14 Stephen Gallagher 2011-08-29 13:56:51 UTC
Thanks very much for testing!

I'm going to get this pushed out upstream in SSSD 1.5.13 later today, and it should turn up in an official Fedora update tomorrow.

Comment 15 Fedora Update System 2011-08-29 21:29:30 UTC
sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15 has been submitted as an update for Fedora 15.

Comment 16 Fedora Update System 2011-08-31 01:40:11 UTC
Package sssd-1.5.13-1.fc15.1, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, openchange-0.9-18.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.1 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 openchange-0.9-18.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2011-09-07 00:27:20 UTC
Package sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.2 openchange-0.9-18.fc15.2 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2011-09-09 05:30:21 UTC
sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5, evolution-mapi-3.0.3-2.fc15, evolution-exchange-3.0.3-1.fc15, evolution-3.0.3-1.fc15, evolution-data-server-3.0.3-1.fc15, gtkhtml3-4.0.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.