Bug 951620 - Upgrade to 1.9.4 Breaks Logins
Summary: Upgrade to 1.9.4 Breaks Logins
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-12 15:19 UTC by Ian Chapman
Modified: 2020-05-02 17:17 UTC (History)
5 users (show)

Fixed In Version: sssd-1.9.6-1.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-15 20:33:56 UTC
Type: Bug


Attachments (Terms of Use)
krb5_child.log (4.34 KB, text/plain)
2013-04-12 16:20 UTC, Ian Chapman
no flags Details
ldap_child.log (2.51 KB, text/plain)
2013-04-12 16:20 UTC, Ian Chapman
no flags Details
secure (977 bytes, text/plain)
2013-04-12 16:21 UTC, Ian Chapman
no flags Details
sssd.log (24.02 KB, text/plain)
2013-04-12 16:21 UTC, Ian Chapman
no flags Details
sssd_homenet.lan.log (241.62 KB, text/plain)
2013-04-12 16:22 UTC, Ian Chapman
no flags Details
sssd_nss.log (11.22 KB, text/plain)
2013-04-12 16:23 UTC, Ian Chapman
no flags Details
sssd_pam.log (18.61 KB, text/plain)
2013-04-12 16:23 UTC, Ian Chapman
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2859 0 None closed sssd pam write_selinux_login_file creating the temp file for SELinux data failed 2020-05-02 17:17:01 UTC

Description Ian Chapman 2013-04-12 15:19:05 UTC
Description of problem:

Upgrading to 1.9.4 of the sssd components breaks logins (at least when talking to an IPA server). When logging in through login: or gdm, it simply returns the error "System Error". Increasing the verbosity on the logs doesn't shed much light on anything. It still seems to be working.

Commands such as id, finger and su all work correctly.

If I downgrade to the "1.8.2-10.fc17" versions of the components, everything works correctly including logging in through login: and gdm.


Version-Release number of selected component (if applicable):

libipa_hbac.x86_64                         1.9.4-1.fc17                  updates
libipa_hbac-python.x86_64                  1.9.4-1.fc17                  updates
libldb.x86_64                              1.1.6-1.fc17                  updates
libsss_sudo.x86_64                         1.9.4-1.fc17                  updates
sssd.x86_64                                1.9.4-1.fc17                  updates
sssd-client.i686                           1.9.4-1.fc17                  updates
sssd-client.x86_64                         1.9.4-1.fc17                  updates

How reproducible:

Upgrade to 1.9.4-1.fc17 or 1.9.4-2.fc17 of the components listed. Try and login through gdm or login:

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Jakub Hrozek 2013-04-12 15:25:58 UTC
What is the SELinux status on the client?

Can you put debug_level=8 into the [pam] and [domain] sections and attach the sanitized logs?

Comment 2 Ian Chapman 2013-04-12 16:03:53 UTC
No the system has SELinux disabled. Will attach the logs shortly.

Comment 3 Ian Chapman 2013-04-12 16:20:19 UTC
Created attachment 734825 [details]
krb5_child.log

Comment 4 Ian Chapman 2013-04-12 16:20:45 UTC
Created attachment 734826 [details]
ldap_child.log

Comment 5 Ian Chapman 2013-04-12 16:21:09 UTC
Created attachment 734827 [details]
secure

Comment 6 Ian Chapman 2013-04-12 16:21:48 UTC
Created attachment 734828 [details]
sssd.log

Comment 7 Ian Chapman 2013-04-12 16:22:29 UTC
Created attachment 734829 [details]
sssd_homenet.lan.log

Comment 8 Ian Chapman 2013-04-12 16:23:00 UTC
Created attachment 734830 [details]
sssd_nss.log

Comment 9 Ian Chapman 2013-04-12 16:23:27 UTC
Created attachment 734831 [details]
sssd_pam.log

Comment 10 Ian Chapman 2013-04-12 16:24:12 UTC
If you require anything else, let me know. Thanks.

Comment 11 Jakub Hrozek 2013-04-12 16:35:22 UTC
The krb5_child log you sent contains:

(Fri Apr 12 23:55:30 2013) [[sssd[krb5_child[2464]]]] [get_and_save_tgt] (0x0020): 977: [-1765328353][Decrypt integrity check failed]
(Fri Apr 12 23:55:30 2013) [[sssd[krb5_child[2464]]]] [kerr_handle_error] (0x0020): 1030: [-1765328353][Decrypt integrity check failed]

That pretty much always means "Wrong password".

But since you said SELinux was disabled, can you check if the directory /etc/selinux/targeted/logins/ exists and if not, create it? We had a bug recently where the selinux SSSD provider couldn't cope when the directory was not there.

Comment 12 Ian Chapman 2013-04-12 16:45:25 UTC
I'm pretty sure I typed the password correctly - at least once in the test anyway. The "System Error" doesn't seem to occur if you type the password incorrectly.

The directory doesn't exist. I'll create it and get back to you.

Comment 13 Ian Chapman 2013-04-12 16:52:17 UTC
Thanks - it looks like that was exactly the bug. I installed selinux-policy-targeted, upgraded to 1.9.4 again and bingo! It now works. No system error.

Comment 14 Jakub Hrozek 2013-04-12 16:58:22 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1817

Comment 15 Jakub Hrozek 2013-04-12 16:59:35 UTC
Thanks; the bug is already fixed upstream, it's going to get fixed in Fedora when we rebase to 1.9.5 which is going to be released quite soon now.

Comment 16 Ian Chapman 2013-04-12 17:01:38 UTC
I think has to be a record from submission to resolution. :-) Thanks for the help, appreciated.

Comment 17 Fedora Update System 2013-05-05 14:34:31 UTC
sssd-1.9.5-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sssd-1.9.5-1.fc17

Comment 18 Fedora Update System 2013-05-05 14:34:42 UTC
sssd-1.9.5-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/sssd-1.9.5-1.fc18

Comment 19 Fedora Update System 2013-05-06 03:48:17 UTC
Package sssd-1.9.5-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.9.5-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7461/sssd-1.9.5-1.fc17
then log in and leave karma (feedback).

Comment 20 Ian Chapman 2013-05-11 10:10:15 UTC
Thank you - the updated version works for me

Comment 21 Fedora End Of Life 2013-07-04 07:43:50 UTC
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 22 Fedora Update System 2013-07-06 00:49:00 UTC
sssd-1.9.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2013-11-06 19:33:41 UTC
sssd-1.9.6-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/sssd-1.9.6-1.fc18

Comment 24 Fedora Update System 2013-11-07 03:34:59 UTC
Package sssd-1.9.6-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.9.6-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20802/sssd-1.9.6-1.fc18
then log in and leave karma (feedback).

Comment 25 Fedora Update System 2013-11-15 20:33:56 UTC
sssd-1.9.6-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.