Description of problem: Upgrading to 1.9.4 of the sssd components breaks logins (at least when talking to an IPA server). When logging in through login: or gdm, it simply returns the error "System Error". Increasing the verbosity on the logs doesn't shed much light on anything. It still seems to be working. Commands such as id, finger and su all work correctly. If I downgrade to the "1.8.2-10.fc17" versions of the components, everything works correctly including logging in through login: and gdm. Version-Release number of selected component (if applicable): libipa_hbac.x86_64 1.9.4-1.fc17 updates libipa_hbac-python.x86_64 1.9.4-1.fc17 updates libldb.x86_64 1.1.6-1.fc17 updates libsss_sudo.x86_64 1.9.4-1.fc17 updates sssd.x86_64 1.9.4-1.fc17 updates sssd-client.i686 1.9.4-1.fc17 updates sssd-client.x86_64 1.9.4-1.fc17 updates How reproducible: Upgrade to 1.9.4-1.fc17 or 1.9.4-2.fc17 of the components listed. Try and login through gdm or login: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
What is the SELinux status on the client? Can you put debug_level=8 into the [pam] and [domain] sections and attach the sanitized logs?
No the system has SELinux disabled. Will attach the logs shortly.
Created attachment 734825 [details] krb5_child.log
Created attachment 734826 [details] ldap_child.log
Created attachment 734827 [details] secure
Created attachment 734828 [details] sssd.log
Created attachment 734829 [details] sssd_homenet.lan.log
Created attachment 734830 [details] sssd_nss.log
Created attachment 734831 [details] sssd_pam.log
If you require anything else, let me know. Thanks.
The krb5_child log you sent contains: (Fri Apr 12 23:55:30 2013) [[sssd[krb5_child[2464]]]] [get_and_save_tgt] (0x0020): 977: [-1765328353][Decrypt integrity check failed] (Fri Apr 12 23:55:30 2013) [[sssd[krb5_child[2464]]]] [kerr_handle_error] (0x0020): 1030: [-1765328353][Decrypt integrity check failed] That pretty much always means "Wrong password". But since you said SELinux was disabled, can you check if the directory /etc/selinux/targeted/logins/ exists and if not, create it? We had a bug recently where the selinux SSSD provider couldn't cope when the directory was not there.
I'm pretty sure I typed the password correctly - at least once in the test anyway. The "System Error" doesn't seem to occur if you type the password incorrectly. The directory doesn't exist. I'll create it and get back to you.
Thanks - it looks like that was exactly the bug. I installed selinux-policy-targeted, upgraded to 1.9.4 again and bingo! It now works. No system error.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1817
Thanks; the bug is already fixed upstream, it's going to get fixed in Fedora when we rebase to 1.9.5 which is going to be released quite soon now.
I think has to be a record from submission to resolution. :-) Thanks for the help, appreciated.
sssd-1.9.5-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sssd-1.9.5-1.fc17
sssd-1.9.5-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/sssd-1.9.5-1.fc18
Package sssd-1.9.5-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.9.5-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7461/sssd-1.9.5-1.fc17 then log in and leave karma (feedback).
Thank you - the updated version works for me
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
sssd-1.9.5-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.9.6-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/sssd-1.9.6-1.fc18
Package sssd-1.9.6-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.9.6-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-20802/sssd-1.9.6-1.fc18 then log in and leave karma (feedback).
sssd-1.9.6-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.