#981 Authentication fails when there exists an empty hbacsvcgroup.
Closed: Fixed None Opened 10 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=733663

Description of problem:
Authentication fails when there exists an empty hbacsvcgroup.

Version-Release number of selected component (if applicable):
sssd-1.5.13-0.20110823T0331z.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user "user1"
2. From client make sure you are able to login using ssh.
3. Create an empty hbacsvcgroup
# ipa hbacsvcgroup-add grp1 --desc=grp1
-------------------------------
Added HBAC service group "grp1"
-------------------------------
  Service group name: grp1
  Description: grp1

4. Try authenticating again as "user1".

Actual results:
Authentication now fails for user1.

/var/log/secure:
Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com  user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error)
Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2
Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration


sssd domain log:
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services:  [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!


Expected results:
Authentication should not fail.

Additional info:
[root@bumblebee ~]# ipa hbacsvcgroup-find --all
-----------------------------
2 HBAC service groups matched
-----------------------------
  dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service group name: grp1
  Description: grp1
  ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b
  objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top

  dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service group name: Sudo
  Description: Default group of Sudo related services
  ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b
  member_hbacsvc: sudo, sudo-i
  objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top
----------------------------
Number of entries returned 2
----------------------------


# ipa hbacrule-find --all
-------------------
1 HBAC rule matched
-------------------
  dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE
  accessruletype: allow
  ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b
  objectclass: ipaassociation, ipahbacrule
----------------------------
Number of entries returned 1
----------------------------


/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = lab.eng.pnq.redhat.com
[nss]
[pam]
[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

Fields changed

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=733663

{{{
Description of problem:
Authentication fails when there exists an empty hbacsvcgroup.

Version-Release number of selected component (if applicable):
sssd-1.5.13-0.20110823T0331z.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user "user1"
2. From client make sure you are able to login using ssh.
3. Create an empty hbacsvcgroup

ipa hbacsvcgroup-add grp1 --desc=grp1


Added HBAC service group "grp1"

Service group name: grp1
Description: grp1

  1. Try authenticating again as "user1".

Actual results:
Authentication now fails for user1.

/var/log/secure:
Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error)
Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2
Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration

sssd domain log:
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services: [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!

Expected results:
Authentication should not fail.

Additional info:
[root@bumblebee ~]# ipa hbacsvcgroup-find --all


2 HBAC service groups matched

dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: grp1
Description: grp1
ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b
objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top

dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: Sudo
Description: Default group of Sudo related services
ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b
member_hbacsvc: sudo, sudo-i
objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top


Number of entries returned 2

ipa hbacrule-find --all


1 HBAC rule matched

dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Rule name: allow_all
User category: all
Host category: all
Source host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
accessruletype: allow
ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b
objectclass: ipaassociation, ipahbacrule


Number of entries returned 1

/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = lab.eng.pnq.redhat.com
[nss]
[pam]
[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = srv, bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=733663

{{{
Description of problem:
Authentication fails when there exists an empty hbacsvcgroup.

Version-Release number of selected component (if applicable):
sssd-1.5.13-0.20110823T0331z.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a ipa user "user1"
2. From client make sure you are able to login using ssh.
3. Create an empty hbacsvcgroup

ipa hbacsvcgroup-add grp1 --desc=grp1


Added HBAC service group "grp1"

Service group name: grp1
Description: grp1

  1. Try authenticating again as "user1".

Actual results:
Authentication now fails for user1.

/var/log/secure:
Aug 26 08:02:57 ironhide sshd[25085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ironhide.lab.eng.pnq.redhat.com user=user1
Aug 26 08:02:58 ironhide sshd[25085]: pam_sss(sshd:account): Access denied for user user1: 4 (System error)
Aug 26 08:02:58 ironhide sshd[25085]: Failed password for user1 from 10.65.201.65 port 50746 ssh2
Aug 26 08:02:58 ironhide sshd[25086]: fatal: Access denied for user user1 by PAM account configuration

sssd domain log:
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): commit ldb transaction (nesting: 2)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (1): Could not determine original members
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_sysdb_save] (3): Error [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_sysdb_save] (1): Error saving services: [2][No such file or directory]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: sh[0xa43a00], connected[1], ops[(nil)], ldap[0xa58110]
(Fri Aug 26 08:03:36 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing!

Expected results:
Authentication should not fail.

Additional info:
[root@bumblebee ~]# ipa hbacsvcgroup-find --all


2 HBAC service groups matched

dn: cn=grp1,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: grp1
Description: grp1
ipauniqueid: 04e8bf66-cfdb-11e0-8dda-525400deab7b
objectclass: ipaobject, ipahbacservicegroup, groupOfNames, top

dn: cn=sudo,cn=hbacservicegroups,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Service group name: Sudo
Description: Default group of Sudo related services
ipauniqueid: 98417322-cd6d-11e0-ba9f-525400deab7b
member_hbacsvc: sudo, sudo-i
objectclass: ipaobject, ipahbacservicegroup, nestedGroup, groupOfNames, top


Number of entries returned 2

ipa hbacrule-find --all


1 HBAC rule matched

dn: ipauniqueid=9a926bd6-cd6d-11e0-9bfa-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Rule name: allow_all
User category: all
Host category: all
Source host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
accessruletype: allow
ipauniqueid: 9a926bd6-cd6d-11e0-9bfa-525400deab7b
objectclass: ipaassociation, ipahbacrule


Number of entries returned 1

/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = lab.eng.pnq.redhat.com
[nss]
[pam]
[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = srv, bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
}}}

owner: somebody => sgallagh
patch: => 0
rhbz: => 733663
status: new => assigned
tests: => 0
testsupdated: => 0
upgrade: => 0

Fields changed

patch: 0 => 1

Fixed by:
- 5215f68 (master)
- 1457e0c (sssd-1-6)
- df38d94 (sssd-1-5)

resolution: => fixed
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.5.13

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2023

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata