Red Hat Bugzilla – Bug 733237
sssd blocks login of ipa-users
Last modified: 2011-10-25 10:08:45 EDT
Description of problem: after updating to 1.5.12-1 ipa users can no longer login Version-Release number of selected component (if applicable): sssd 1.5.12 How reproducible: always Steps to Reproduce: 1. install Fedora 15 (withouth updates) and connect to rhel ipa-server 2. login as ipauser works 3. update to sssd-1.5.12 (or update everything) 4. login as ipauser no longer works Additional info: #ssh ipauser@localhost ipauser@localhost's password: Connection closed by ::1 with higher debuglevel in sssd.conf (debug_level = 5) [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success] [be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl] [be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl] [child_sig_handler] (4): child [6677] finished successfully. [be_pam_handler] (4): Got request with the following data [pam_print_data] (4): command: PAM_ACCT_MGMT [pam_print_data] (4): domain: office.aboveit.nl [pam_print_data] (4): user: ipauser [pam_print_data] (4): service: sshd [pam_print_data] (4): tty: ssh [pam_print_data] (4): ruser: [pam_print_data] (4): rhost: localhost [pam_print_data] (4): authtok type: 0 [pam_print_data] (4): authtok size: 0 [pam_print_data] (4): newauthtok type: 0 [pam_print_data] (4): newauthtok size: 0 [pam_print_data] (4): priv: 0 [pam_print_data] (4): cli_pid: 6675 [ipa_hbac_sysdb_save] (1): Could not determine original members [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory] [hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] Probably a directory is missing, but I can't find which one. HBAC rules allows everything for this user
Hi Pieter, I could reproduce this when I had an empty hbacsvc group. Could you please check if you have any empty hbac service groups configured, "ipa hbacsvcgroup-find --all" should help you find that. If yes, could try authenticating again after removing the empty hbacsvcgroup?
Thanks for the quick reply! There was one sudo group. It was not empty. after removing that one I am still not allowed to log in #ipa hbacsvcgroup-find --all ----------------------------- 0 HBAC service groups matched ----------------------------- ---------------------------- Number of entries returned 0 ---------------------------- On the ipa-server I got this in my /var/log/krb5kdc.log. krb5kdc[26903](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.52.19: NEEDED_PREAUTH: ipauser@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required But that is also there when I downgrade sssd. I try today with different HBAC settings.
Hi Pieter, Thanks for your reply. In your bug description I see "[pam_print_data] (4): rhost: localhost", so I guess you are trying to authenticate as "ssh -l user localhost". AFAIK this will fail if you are using hbacrule for sshd service since you cannot add source host or target host as "localhost". Could you please try authenticating as "ssh -l ipauser $HOSTNAME" ? Also, would like to see the output of "ipa hbacrule-find --all" Thank you.
I tried both but did copy the localhost one in this bugzilla. #ipa hbacrule-find --all is a lot of output, I attached it. #ssh -l ipauser $HOSTNAME ipauser@pvdesk2.office.domain.nl's password: Connection closed by 10.183.52.19 The ip-address is off course the ip-address of the desktop
Created attachment 520086 [details] output of "ipa hbacrule-find --all" output of "ipa hbacrule-find --all"
Would you mind rerunning your original test (without having removed the SUDO service group) with debug_level = 8? Hopefully that will give us a little more information.
Hi Pieter, I think I reproduced your issue. Thanks for your output of hbacrule's. Could you please do the following and confirm: 1. ipa hbacrule-remove-host ssh --hostgroups=desktops 2. ipa hbacrule-add-host ssh --hosts=pvdesk2.office.domain.nl 3. Try authenticating from pvdesk2.office.domain.nl as a ipauser.
After running 1 and 2 the host is now itself in the ssh hbacrule. But authenticating is not working. Exit's with the same errors.
Pieter, I identified two bugs in the way we were processing HBAC rules. I've added patches to this scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3308550 Would you please install that build and see if it resolves your issue?
Created attachment 520377 [details] debug output
#rpm -qa | grep sssd sssd-1.5.12-1.fc15.1.x86_64 sssd-tools-1.5.12-1.fc15.1.x86_64 sssd-client-1.5.12-1.fc15.1.x86_64 #rpm -qa | grep libipa libipa_hbac-1.5.12-1.fc15.1.x86_64 #ssh -l ipauser pvdesk2.office.domain.nl ipauser@pvdesk2.office.domain.nl's password: Connection closed by 10.183.52.19 log is in attached debug output
Thanks! That log helped me spot another bug. We were returning an error where we should have been ignoring it instead. I've created another scratch build for you to test here: http://koji.fedoraproject.org/koji/taskinfo?taskID=3308830 Please tell me whether this resolves your problem.
# rpm -qa | grep sssd sssd-client-1.5.12-1.fc15.2.x86_64 sssd-1.5.12-1.fc15.2.x86_64 sssd-tools-1.5.12-1.fc15.2.x86_64 # rpm -qa | grep libipa libipa_hbac-1.5.12-1.fc15.2.x86_64 ssh -l ipauser pvdesk2.office.aboveit.nl ipauser@pvdesk2.office.domain.nl's password: Last login: Mon Aug 29 15:30:26 2011 from pvdesk2.office.domain.nl It works! thanks for fixing.
Thanks very much for testing! I'm going to get this pushed out upstream in SSSD 1.5.13 later today, and it should turn up in an official Fedora update tomorrow.
sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.4,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15
Package sssd-1.5.13-1.fc15.1, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, openchange-0.9-18.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.1 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 openchange-0.9-18.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/sssd-1.5.13-1.fc15.1,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.1,samba4-4.0.0-25.alpha11.fc15.5,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15 then log in and leave karma (feedback).
Package sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, evolution-mapi-3.0.2-2.fc15.1, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.5.13-1.fc15.2 openchange-0.9-18.fc15.2 evolution-mapi-3.0.2-2.fc15.1 certmonger-0.45-1.fc15.1 libldb-1.0.0-3.fc15 libtevent-0.9.13-1.fc15 samba4-4.0.0-25.alpha11.fc15.5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/sssd-1.5.13-1.fc15.2,evolution-mapi-3.0.2-2.fc15.1,certmonger-0.45-1.fc15.1,openchange-0.9-18.fc15.2,samba4-4.0.0-25.alpha11.fc15.5,libldb-1.0.0-3.fc15,libtevent-0.9.13-1.fc15 then log in and leave karma (feedback).
sssd-1.5.13-1.fc15.2, openchange-0.9-18.fc15.2, certmonger-0.45-1.fc15.1, libldb-1.0.0-3.fc15, libtevent-0.9.13-1.fc15, samba4-4.0.0-25.alpha11.fc15.5, evolution-mapi-3.0.3-2.fc15, evolution-exchange-3.0.3-1.fc15, evolution-3.0.3-1.fc15, evolution-data-server-3.0.3-1.fc15, gtkhtml3-4.0.2-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.