Learn more about these different git repos.
Other Git URLs
Description of problem: after updating to 1.5.12-1 ipa users can no longer login Version-Release number of selected component (if applicable): sssd 1.5.12 How reproducible: always Steps to Reproduce: 1. install Fedora 15 (withouth updates) and connect to rhel ipa-server 2. login as ipauser works 3. update to sssd-1.5.12 (or update everything) 4. login as ipauser no longer works Additional info: #ssh ipauser@localhost ipauser@localhost's password: Connection closed by ::1 with higher debuglevel in sssd.conf (debug_level = 5) [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success] [be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl] [be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl] [child_sig_handler] (4): child [6677] finished successfully. [be_pam_handler] (4): Got request with the following data [pam_print_data] (4): command: PAM_ACCT_MGMT [pam_print_data] (4): domain: office.aboveit.nl [pam_print_data] (4): user: ipauser [pam_print_data] (4): service: sshd [pam_print_data] (4): tty: ssh [pam_print_data] (4): ruser: [pam_print_data] (4): rhost: localhost [pam_print_data] (4): authtok type: 0 [pam_print_data] (4): authtok size: 0 [pam_print_data] (4): newauthtok type: 0 [pam_print_data] (4): newauthtok size: 0 [pam_print_data] (4): priv: 0 [pam_print_data] (4): cli_pid: 6675 [ipa_hbac_sysdb_save] (1): Could not determine original members [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory] [hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] Probably a directory is missing, but I can't find which one. HBAC rules allows everything for this user
From shanks:
Hi Pieter, I could reproduce this when I had an empty hbacsvc group. Could you please check if you have any empty hbac service groups configured, "ipa hbacsvcgroup-find --all" should help you find that. If yes, could try authenticating again after removing the empty hbacsvcgroup?
It looks like there are two separate issues here. I've created Ticket #981 to track the empty service group problem.
summary: HBAC provider fails if there are empty HBAC service groups => HBAC provider regression in 1.5.12
Fields changed
patch: 0 => 1 status: new => assigned
Fixed by: - 473c908 (master) - 207d589 (sssd-1-6) - fde6ab6 (sssd-1-5)
resolution: => fixed status: assigned => closed
rhbz: 733237 => [https://bugzilla.redhat.com/show_bug.cgi?id=733237 733237]
Metadata Update from @sgallagh: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.5.13
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2021
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.