Bug 733663 - Authentication fails when there exists an empty hbacsvcgroup.
Summary: Authentication fails when there exists an empty hbacsvcgroup.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 748872
TreeView+ depends on / blocked
 
Reported: 2011-08-26 12:11 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:50 UTC (History)
6 users (show)

Fixed In Version: sssd-1.5.1-49.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
: 748872 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:39:45 UTC


Attachments (Terms of Use)
Complete sssd domain log (103.05 KB, text/plain)
2011-08-26 12:11 UTC, Gowrishankar Rajaiyan
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1529 normal SHIPPED_LIVE sssd bug fix and enhancement update 2011-12-06 00:50:20 UTC
FedoraHosted SSSD 981 None None None Never

Description Gowrishankar Rajaiyan 2011-08-26 12:11:39 UTC
Created attachment 520076 [details]
Complete sssd domain log

Description of problem:
Authentication fails when there exists an empty hbacsvcgroup.

Version-Release number of selected component (if applicable):
sssd-1.5.13-0.20110823T0331z.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user "user1"
2. From client make sure you are able to login using ssh.
3. Create an empty hbacsvcgroup
# ipa hbacsvcgroup-add grp1 --desc=grp1
-------------------------------
Added HBAC service group "grp1"
-------------------------------
  Service group name: grp1
  Description: grp1

4. Try authenticating again as "user1".
  
Actual results:
Authentication now fails for user1.

/var/log/secure:
Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com  user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error)
Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2
Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration


sssd domain log:
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services:  [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!


Expected results:
Authentication should not fail.

Additional info:
[root@bumblebee ~]# ipa hbacsvcgroup-find --all
-----------------------------
2 HBAC service groups matched
-----------------------------
  dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service group name: grp1
  Description: grp1
  ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b
  objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top

  dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service group name: Sudo
  Description: Default group of Sudo related services
  ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b
  member_hbacsvc: sudo, sudo-i
  objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top
----------------------------
Number of entries returned 2
----------------------------


# ipa hbacrule-find --all
-------------------
1 HBAC rule matched
-------------------
  dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE
  accessruletype: allow
  ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b
  objectclass: ipaassociation, ipahbacrule
----------------------------
Number of entries returned 1
----------------------------


/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = lab.eng.pnq.redhat.com
[nss]
[pam]
[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

Comment 2 Stephen Gallagher 2011-08-26 12:49:21 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/981

Comment 4 Gowrishankar Rajaiyan 2011-10-03 06:25:27 UTC
[root@bumblebee ~]# ipa hbacrule-find
-------------------
1 HBAC rule matched
-------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------
[root@bumblebee ~]# ipa hbacsvcgroup-find
-----------------------------
3 HBAC service groups matched
-----------------------------
  Service group name: ftp
  Description: Default group of ftp related services
  Member HBAC service: ftp, proftpd, pure-ftpd, vsftpd, gssftp

  Service group name: grp1
  Description: grp1

  Service group name: Sudo
  Description: Default group of Sudo related services
  Member HBAC service: sudo, sudo-i
----------------------------
Number of entries returned 3
----------------------------



/var/log/secure:
Oct  3 08:40:29 bumblebee sshd[6312]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=mudflap.lab.eng.pnq.redhat.com user=shanks
Oct  3 08:40:30 bumblebee sshd[6312]: Accepted password for shanks from 10.65.201.66 port 44746 ssh2
Oct  3 08:40:30 bumblebee sshd[6312]: pam_unix(sshd:session): session opened for user shanks by (uid=0)

Verified.

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 53.el6                        Build Date: Fri 30 Sep 2011 10:10:28 AM EDT
Install Date: Mon 03 Oct 2011 08:30:33 AM EDT      Build Host: hs20-bc2-3.build.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-53.el6.src.rpm
Size        : 3551489                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 5 Jakub Hrozek 2011-10-27 14:31:40 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 6 errata-xmlrpc 2011-12-06 16:39:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html


Note You need to log in before you can comment on or make changes to this bug.