Ticket #979 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

HBAC provider regression in 1.5.12

Reported by: sgallagh Owned by: sgallagh
Priority: blocker Milestone: SSSD 1.5.13
Component: IPA Provider Version: 1.5.12
Keywords: Cc:
Blocked By: Blocking:
Sensitive: Tests Updated: no
Coverity Bug: Patch Submitted: yes
Red Hat Bugzilla: 733237 Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:
Temp mark:


Description of problem:
after updating to 1.5.12-1 ipa users can no longer login

Version-Release number of selected component (if applicable):
sssd 1.5.12

How reproducible:

Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works  

Additional info:

#ssh ipauser@localhost
ipauser@localhost's password: 
Connection closed by ::1

with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl]
[be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl]
[child_sig_handler] (4): child [6677] finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain: office.aboveit.nl
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error
(System error)]

Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user

Change History

comment:1 Changed 5 years ago by sgallagh

From shanks:

Hi Pieter,

I could reproduce this when I had an empty hbacsvc group. Could you please
check if you have any empty hbac service groups configured, "ipa
hbacsvcgroup-find --all" should help you find that. 

If yes, could try authenticating again after removing the empty hbacsvcgroup?

comment:2 Changed 5 years ago by sgallagh

  • Summary changed from HBAC provider fails if there are empty HBAC service groups to HBAC provider regression in 1.5.12

It looks like there are two separate issues here. I've created Ticket #981 to track the empty service group problem.

comment:3 Changed 5 years ago by sgallagh

  • Status changed from new to assigned
  • Patch Submitted set

comment:4 Changed 5 years ago by sgallagh

  • Status changed from assigned to closed
  • Resolution set to fixed

comment:5 Changed 5 years ago by mkosek

  • Red Hat Bugzilla changed from 733237 to [https://bugzilla.redhat.com/show_bug.cgi?id=733237 733237]
Note: See TracTickets for help on using tickets.