Learn more about these different git repos.
Other Git URLs
Description of problem:
after updating to 1.5.12-1 ipa users can no longer login
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install Fedora 15 (withouth updates) and connect to rhel ipa-server
2. login as ipauser works
3. update to sssd-1.5.12 (or update everything)
4. login as ipauser no longer works
Connection closed by ::1
with higher debuglevel in sssd.conf (debug_level = 5)
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
[be_pam_handler_callback] (4): Sending result [office.aboveit.nl]
[be_pam_handler_callback] (4): Sent result [office.aboveit.nl]
[child_sig_handler] (4): child  finished successfully.
[be_pam_handler] (4): Got request with the following data
[pam_print_data] (4): command: PAM_ACCT_MGMT
[pam_print_data] (4): domain: office.aboveit.nl
[pam_print_data] (4): user: ipauser
[pam_print_data] (4): service: sshd
[pam_print_data] (4): tty: ssh
[pam_print_data] (4): ruser:
[pam_print_data] (4): rhost: localhost
[pam_print_data] (4): authtok type: 0
[pam_print_data] (4): authtok size: 0
[pam_print_data] (4): newauthtok type: 0
[pam_print_data] (4): newauthtok size: 0
[pam_print_data] (4): priv: 0
[pam_print_data] (4): cli_pid: 6675
[ipa_hbac_sysdb_save] (1): Could not determine original members
[ipa_hbac_sysdb_save] (3): Error [No such file or directory]
[hbac_sysdb_save] (1): Error saving hosts: [No such file or directory]
[be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error
Probably a directory is missing, but I can't find which one.
HBAC rules allows everything for this user
I could reproduce this when I had an empty hbacsvc group. Could you please
check if you have any empty hbac service groups configured, "ipa
hbacsvcgroup-find --all" should help you find that.
If yes, could try authenticating again after removing the empty hbacsvcgroup?
It looks like there are two separate issues here. I've created Ticket #981 to track the empty service group problem.
summary: HBAC provider fails if there are empty HBAC service groups => HBAC provider regression in 1.5.12
patch: 0 => 1
status: new => assigned
- 473c908 (master)
- 207d589 (sssd-1-6)
- fde6ab6 (sssd-1-5)
resolution: => fixed
status: assigned => closed
rhbz: 733237 => [https://bugzilla.redhat.com/show_bug.cgi?id=733237 733237]
Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.5.13
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.