Learn more about these different git repos.
Other Git URLs
This issue was found by Kaushik while testing the proxy provider.
The loginShell attribute is a MAY attribute according to rfc 2307 and 2307bis and neither rfc give a hint what to do if loginShell is missing.
If loginShell is missing or empty for a LDAP user the corresponding attribute is not written to the cache, because sysdb_add_basic_user() drops it in this case. When using the proxy provider in both cases (missing or empty) an empty string is returned by the external getpwnam_r() call and an update of the cached entry will fail. The reason is that sysdb_store_user() only checks if shell==NULL but not if shell is an empty string and now tries to update a non-existent attribute in the cache which is not allowed.
As a side effect it is also not possible to update other attributes, e.g, a change in the gecos field, because all updates and done in a single operation.
To fix this I would like to suggest to introduce a configurable default login shell with a default value of '/dev/null'.
To reproduce this issue configure a domain as
[domain/proxy] id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sss_ldap
start with an empty cache and call 'id ldap_user_with_missing_loginShell'. The following error messages can be found:
(Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [sysdb_set_entry_attr] (6): Error: 14 (Bad address) (Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [ldb] (9): cancel ldb transaction (nesting: 1) (Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [sysdb_store_user] (6): Error: 14 (Bad address) (Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [ldb] (9): cancel ldb transaction (nesting: 0) (Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [acctinfo_callback] (4): Request processed. Returned 3,14,Internal Error (Cannot make/remove an entry for the specified session)
Replying to [ticket:892 sbose]:
This would certainly be wrong. An empty shell is a perfectly valid value and tells the system to use whatever is the currently configured default shell.
The fix is to check if shell[0] == '\0' and skip adding loginShell entirely if it is (or better run a modify operation to delete loginShell if it is there, to remove stale caches of the attribute).
This will cause us to return an empty shell to getpwnam() which will do the right thing in the system.
As Simo said, this would be an incompatible change. The expected behavior of POSIX is that if the NSS module returns NULL for pw_shell, libc should handle it in a platform-appropriate manner.
In the case of Linux, this generally means that it's treated as /bin/sh.
We want to make sure that the proxy provider behaves the same as our native LDAP provider (which does this correctly).
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.7.0
I agree that '/dev/null' might not be a good choice, but it would be nice if we can store something, e.g. an empty string. This would make updating easier because the modify operation fails if the attribute is missing. Otherwise we have to read the object first, check all attributes and add new one and modify existing attributes.
Should not be a big problem to fix.
milestone: SSSD 1.8.0 => SSSD 1.7.0
priority: major => minor rhbz: =>
owner: somebody => jzeleny
patch: 0 => 1 status: new => assigned
Fixed in: 72c3fe5
resolution: => fixed status: assigned => closed
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=785902
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=785902 785902]
Metadata Update from @sbose: - Issue assigned to jzeleny - Issue set to the milestone: SSSD 1.7.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1934
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.