#979 HBAC provider regression in 1.5.12
Closed: Fixed None Opened 8 years ago by sgallagh.

Description of problem:
after updating to 1.5.12-1 ipa users can no longer login

Version-Release number of selected component (if applicable):
sssd 1.5.12

How reproducible:

Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works

Additional info:

#ssh ipauser@localhost
ipauser@localhost's password: 
Connection closed by ::1

with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [0][office.aboveit.nl]
[be_pam_handler_callback] (4): Sent result [0][office.aboveit.nl]
[child_sig_handler] (4): child [6677] finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain: office.aboveit.nl
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [2][No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error
(System error)]

Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user

From shanks:

Hi Pieter,

I could reproduce this when I had an empty hbacsvc group. Could you please
check if you have any empty hbac service groups configured, "ipa
hbacsvcgroup-find --all" should help you find that.

If yes, could try authenticating again after removing the empty hbacsvcgroup?

It looks like there are two separate issues here. I've created Ticket #981 to track the empty service group problem.

summary: HBAC provider fails if there are empty HBAC service groups => HBAC provider regression in 1.5.12

Fields changed

patch: 0 => 1
status: new => assigned

Fixed by:
- 473c908 (master)
- 207d589 (sssd-1-6)
- fde6ab6 (sssd-1-5)

resolution: => fixed
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.5.13

2 years ago

Login to comment on this ticket.