#979 HBAC provider regression in 1.5.12

Created 5 years ago by sgallagh
Modified 3 months ago

Description of problem:
after updating to 1.5.12-1 ipa users can no longer login

Version-Release number of selected component (if applicable):
sssd 1.5.12

How reproducible:
always

Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works


Additional info:

#ssh ipauser@localhost
ipauser@localhost's password: 
Connection closed by ::1

with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl]
[be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl]
[child_sig_handler] (4): child [6677] finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain: office.aboveit.nl
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error
(System error)]

Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user

From shanks:

Hi Pieter,

I could reproduce this when I had an empty hbacsvc group. Could you please
check if you have any empty hbac service groups configured, "ipa
hbacsvcgroup-find --all" should help you find that.

If yes, could try authenticating again after removing the empty hbacsvcgroup?

It looks like there are two separate issues here. I've created Ticket #981 to track the empty service group problem.

summary: HBAC provider fails if there are empty HBAC service groups => HBAC provider regression in 1.5.12

Fields changed

patch: 0 => 1
status: new => assigned

Fixed by:
- 473c90800239fc54eaab9d3dc3194582b039d614 (master)
- 207d5890c73c707b3f05c003e65a86984c3548b8 (sssd-1-6)
- fde6ab61a611cfea5f15534dd405d5658bc0c879 (sssd-1-5)

resolution: => fixed
status: assigned => closed

3 months ago

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.5.13

Login to comment on this ticket.

defect

IPA Provider

1.5.12

0

1

https://bugzilla.redhat.com/show_bug.cgi?id=733237

cancel