Learn more about these different git repos.
Other Git URLs
Design doccument[1] says: proxy_child
In general, we can't make assumptions on what the PAM module we wrap using the proxy backend requires, so at least the part of proxy child that runs the PAM conversation should run as root. During development, we should consider splitting the proxy_child into a small setuid helper that would still run privileged and only wrap the PAM module and the rest of the proxy_child that would run unprivileged.
However initialization of proxy_child failed:
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_send] (0x2000): Queueing request [1] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_send] (0x1000): Starting proxy child with args [/usr/libexec/sssd/proxy_child -d 0x77f0 --debug-timestamps=1 --debug-micros econds=0 --debug-to-files --domain PROXY --id 1] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x1000): Waiting for child [13398]. (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x0100): child [13398] exited with status [2]. (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_done] (0x0400): Proxy child init failed [5] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_destructor] (0x2000): Removing proxy child id [1] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 5, PAM child failed) [Internal Error (Memory buffer error)] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sending result [4][PROXY] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sent result [4][PROXY] May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: chown failed for [proxy_child_PROXY]: [1] May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot chown the debug files, debugging might not work! May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Trying to become user [0][0]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: setgroups failed [1][Operation not permitted]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot become user [0][0]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Could not set up mainloop [1]
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Fields changed
description: Design doccument[1] says: '''proxy_child'''
However initialization of proxy_child failed: {{{ (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_send] (0x2000): Queueing request [1] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_send] (0x1000): Starting proxy child with args [/usr/libexec/sssd/proxy_child -d 0x77f0 --debug-timestamps=1 --debug-micros econds=0 --debug-to-files --domain PROXY --id 1] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x1000): Waiting for child [13398]. (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x0100): child [13398] exited with status [2]. (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_done] (0x0400): Proxy child init failed [5] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_destructor] (0x2000): Removing proxy child id [1] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 5, PAM child failed) [Internal Error (Memory buffer error)] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sending result [4][PROXY] (Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sent result [4][PROXY] }}}
{{{ May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: chown failed for [proxy_child_PROXY]: [1] May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot chown the debug files, debugging might not work! May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Trying to become user [0][0]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: setgroups failed [1][Operation not permitted]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot become user [0][0]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Could not set up mainloop [1] }}} => Design doccument[1] says: '''proxy_child'''
{{{ May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: chown failed for [proxy_child_PROXY]: [1] May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot chown the debug files, debugging might not work! May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Trying to become user [0][0]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: setgroups failed [1][Operation not permitted]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot become user [0][0]. May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Could not set up mainloop [1] }}}
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD summary: proxy_child does not work in non-root mode => proxy provider does not work in non-root mode
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1221992 (Red Hat Enterprise Linux 7)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1221992 1221992]
owner: somebody => lslebodn patch: 0 => 1 status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.12.5
resolution: => fixed status: assigned => closed
Metadata Update from @lslebodn: - Issue assigned to lslebodn - Issue set to the milestone: SSSD 1.12.5
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3696
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.