#981 Authentication fails when there exists an empty hbacsvcgroup.
Closed: Fixed None Opened 7 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=733663

Description of problem:
Authentication fails when there exists an empty hbacsvcgroup.

Version-Release number of selected component (if applicable):
sssd-1.5.13-0.20110823T0331z.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user "user1"
2. From client make sure you are able to login using ssh.
3. Create an empty hbacsvcgroup
# ipa hbacsvcgroup-add grp1 --desc=grp1
-------------------------------
Added HBAC service group "grp1"
-------------------------------
  Service group name: grp1
  Description: grp1

4. Try authenticating again as "user1".

Actual results:
Authentication now fails for user1.

/var/log/secure:
Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com  user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error)
Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2
Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration


sssd domain log:
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services:  [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!


Expected results:
Authentication should not fail.

Additional info:
[root@bumblebee ~]# ipa hbacsvcgroup-find --all
-----------------------------
2 HBAC service groups matched
-----------------------------
  dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service group name: grp1
  Description: grp1
  ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b
  objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top

  dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service group name: Sudo
  Description: Default group of Sudo related services
  ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b
  member_hbacsvc: sudo, sudo-i
  objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top
----------------------------
Number of entries returned 2
----------------------------


# ipa hbacrule-find --all
-------------------
1 HBAC rule matched
-------------------
  dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE
  accessruletype: allow
  ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b
  objectclass: ipaassociation, ipahbacrule
----------------------------
Number of entries returned 1
----------------------------


/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = lab.eng.pnq.redhat.com
[nss]
[pam]
[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

Fields changed

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=733663

{{{
Description of problem:
Authentication fails when there exists an empty hbacsvcgroup.

Version-Release number of selected component (if applicable):
sssd-1.5.13-0.20110823T0331z.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user "user1"
2. From client make sure you are able to login using ssh.
3. Create an empty hbacsvcgroup

ipa hbacsvcgroup-add grp1 --desc=grp1


Added HBAC service group "grp1"

Service group name: grp1
Description: grp1

  1. Try authenticating again as "user1".

Actual results:
Authentication now fails for user1.

/var/log/secure:
Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error)
Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2
Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration

sssd domain log:
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services: [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <null>) [Internal Error (System error)]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!

Expected results:
Authentication should not fail.

Additional info:
[root@bumblebee ~]# ipa hbacsvcgroup-find --all


2 HBAC service groups matched

dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: grp1
Description: grp1
ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b
objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top

dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: Sudo
Description: Default group of Sudo related services
ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b
member_hbacsvc: sudo, sudo-i
objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top


Number of entries returned 2

ipa hbacrule-find --all


1 HBAC rule matched

dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Rule name: allow_all
User category: all
Host category: all
Source host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
accessruletype: allow
ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b
objectclass: ipaassociation, ipahbacrule


Number of entries returned 1

/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = lab.eng.pnq.redhat.com
[nss]
[pam]
[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = srv, bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=733663

{{{
Description of problem:
Authentication fails when there exists an empty hbacsvcgroup.

Version-Release number of selected component (if applicable):
sssd-1.5.13-0.20110823T0331z.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user "user1"
2. From client make sure you are able to login using ssh.
3. Create an empty hbacsvcgroup

ipa hbacsvcgroup-add grp1 --desc=grp1


Added HBAC service group "grp1"

Service group name: grp1
Description: grp1

  1. Try authenticating again as "user1".

Actual results:
Authentication now fails for user1.

/var/log/secure:
Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error)
Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2
Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration

sssd domain log:
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services: [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <null>) [Internal Error (System error)]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!

Expected results:
Authentication should not fail.

Additional info:
[root@bumblebee ~]# ipa hbacsvcgroup-find --all


2 HBAC service groups matched

dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: grp1
Description: grp1
ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b
objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top

dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: Sudo
Description: Default group of Sudo related services
ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b
member_hbacsvc: sudo, sudo-i
objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top


Number of entries returned 2

ipa hbacrule-find --all


1 HBAC rule matched

dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Rule name: allow_all
User category: all
Host category: all
Source host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
accessruletype: allow
ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b
objectclass: ipaassociation, ipahbacrule


Number of entries returned 1

/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = lab.eng.pnq.redhat.com
[nss]
[pam]
[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = srv, bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
}}}

owner: somebody => sgallagh
patch: => 0
rhbz: => 733663
status: new => assigned
tests: => 0
testsupdated: => 0
upgrade: => 0

Fields changed

patch: 0 => 1

Fixed by:
- 5215f68 (master)
- 1457e0c (sssd-1-6)
- df38d94 (sssd-1-5)

resolution: => fixed
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.5.13

2 years ago

Login to comment on this ticket.

Metadata