Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=733663
Description of problem: Authentication fails when there exists an empty hbacsvcgroup. Version-Release number of selected component (if applicable): sssd-1.5.13-0.20110823T0331z.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a ipa user "user1" 2. From client make sure you are able to login using ssh. 3. Create an empty hbacsvcgroup # ipa hbacsvcgroup-add grp1 --desc=grp1 ------------------------------- Added HBAC service group "grp1" ------------------------------- Service group name: grp1 Description: grp1 4. Try authenticating again as "user1". Actual results: Authentication now fails for user1. /var/log/secure: Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1 Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1 Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error) Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2 Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration sssd domain log: (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services: [2][No such file or directory] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing! Expected results: Authentication should not fail. Additional info: [root@bumblebee ~]# ipa hbacsvcgroup-find --all ----------------------------- 2 HBAC service groups matched ----------------------------- dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service group name: grp1 Description: grp1 ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service group name: Sudo Description: Default group of Sudo related services ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b member_hbacsvc: sudo, sudo-i objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top ---------------------------- Number of entries returned 2 ---------------------------- # ipa hbacrule-find --all ------------------- 1 HBAC rule matched ------------------- dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE accessruletype: allow ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b objectclass: ipaassociation, ipahbacrule ---------------------------- Number of entries returned 1 ---------------------------- /etc/sssd/sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = lab.eng.pnq.redhat.com [nss] [pam] [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, bumblebee.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9
Fields changed
coverity: => description: https://bugzilla.redhat.com/show_bug.cgi?id=733663
{{{ Description of problem: Authentication fails when there exists an empty hbacsvcgroup.
Version-Release number of selected component (if applicable): sssd-1.5.13-0.20110823T0331z.el6.x86_64
How reproducible: Always
Steps to Reproduce: 1. Create a ipa user "user1" 2. From client make sure you are able to login using ssh. 3. Create an empty hbacsvcgroup
Service group name: grp1 Description: grp1
Actual results: Authentication now fails for user1.
/var/log/secure: Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1 Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1 Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error) Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2 Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration
sssd domain log: (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services: [2][No such file or directory] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0) (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110] (Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
Expected results: Authentication should not fail.
Additional info: [root@bumblebee ~]# ipa hbacsvcgroup-find --all
dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service group name: grp1 Description: grp1 ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top
dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service group name: Sudo Description: Default group of Sudo related services ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b member_hbacsvc: sudo, sudo-i objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top
dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE accessruletype: allow ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b objectclass: ipaassociation, ipahbacrule
/etc/sssd/sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = lab.eng.pnq.redhat.com [nss] [pam] [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = srv, bumblebee.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 }}} => https://bugzilla.redhat.com/show_bug.cgi?id=733663
/etc/sssd/sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = lab.eng.pnq.redhat.com [nss] [pam] [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = srv, bumblebee.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 }}}
owner: somebody => sgallagh patch: => 0 rhbz: => 733663 status: new => assigned tests: => 0 testsupdated: => 0 upgrade: => 0
patch: 0 => 1
Fixed by: - 5215f68 (master) - 1457e0c (sssd-1-6) - df38d94 (sssd-1-5)
resolution: => fixed status: assigned => closed
rhbz: 733663 => [https://bugzilla.redhat.com/show_bug.cgi?id=733663 733663]
Metadata Update from @sgallagh: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.5.13
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2023
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.