SSSD authentication fails after upgrade to 1.11.8-0ubuntu0.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd |
Fix Released
|
Unknown
|
|||
sssd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* sssd authentication fails if only allow rules are used and
simple_
* That is a regression to the status before the last SRU update.
* The fix is a backport of the upstream fix for
https:/
[Test Case]
* Set up sssd (can be quite complex) with only allow rules and
simple_
* Then authenticate a user/group combo where the group verification fails
* This should succeed, but does no more since last update
[Regression Potential]
* Since this is a backport of a single fix, but lacks the other changes
that got upstream in-between there is the chance we missed in
code-review that there is more context needed to be backported that
could now cause other authentication issues.
[Other Info]
* Setup is so complex we likely have to rely on the reporter for
verification.
* Reporter tested with various config options for his issue - it would be
kind if he could do so as well for the proposed verification.
---
During the first half of September, the Ubuntu sssd package has been updated from 1.11.5-1ubuntu3 to 1.11.8-0ubuntu0.2. We use sssd for authentication on a few dev servers and all our Ubuntu workstations. After the first systems began upgrading we noticed people are no longer able to login. Using the ui you're simply redirected to the login screen. With ssh the connection is closed right away:
$ ssh username@
username@
Connection closed by x.x.x.244
In the auth log we can see the following:
Nov 9 09:33:10 nv-hostname04 sshd[5397]: pam_unix(
Nov 9 09:33:10 nv-hostname04 sshd[5397]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.250 user=username
Nov 9 09:33:10 nv-hostname04 sshd[5397]: pam_sss(
Nov 9 09:33:10 nv-hostname04 sshd[5397]: Failed password for username from x.x.x.250 port 54210 ssh2
Nov 9 09:33:10 nv-hostname04 sshd[5397]: fatal: Access denied for user username by PAM account configuration [preauth]
Once I have downgraded the packages to the previous version everything works fine again:
apt-get install -y --force-yes sssd=1.
echo 'sssd hold' | dpkg --set-selections
I started enabling sssd debug logs, starting from 3 up to 7. It seems the problem is directly related to the fact that sssd cannot resolve the name of a few groups. The users are part of different mailing lists which we don't want listed on our Linux pcs.
(Wed Nov 9 09:33:10 2016) [sssd[be[
(Wed Nov 9 09:33:10 2016) [sssd[be[
(Wed Nov 9 09:33:10 2016) [sssd[be[
I also noticed this is directly related to the simple_allow_groups module that we use to allow login for specific groups. Here's what I have tried and confirmed it fixes the issue:
1. comment out the line "simple_
2. change the "ldap_group_
For the sake of testing, I used the sssd/updates ppa to install version 1.12.5-1~trusty1 of the sssd. I can confirm in this version everything works as expected. So basically:
broken: 1.11.8-0ubuntu0.2
good: 1.11.5-1ubuntu3
good: 1.12.5-1~trusty1
I looked at the upstream merges Ubuntu has done for 1.11.8, there are around 5-6 changes but I cannot figure out which one introduced the error.
The direct issue from sssd which describes the exact same issue is found at: https:/
Changed in sssd: | |
status: | Unknown → Fix Released |
description: | updated |
Changed in sssd (Ubuntu): | |
status: | Triaged → Fix Released |
Thanks for your pre-analysis on this Florin.
It seems it is an upstream issue - just as you pointed out with the linked ticket.
And that matches exactly what you report (and makes sense that neither me nor you find one of the changes Ubuntu introduced to be related to the issue).
IMHO this happened this way:
good: 1.11.5-1ubuntu3
> upstream introduced issue, picked up by the bugfix release to 1.11.8 by us
broken: 1.11.8-0ubuntu0.2
> upstream fixed in 1.12.3 according to the ticket.
good: 1.12.5-1~trusty1
I checked on the fixes themself since a bugtracker eventually is only text, but it matches:
$ git tag --contains 79f12880 | head -n 1
sssd-1_12_3
82a958e6 is the same as above but to dev branch
$ git tag --contains 45a089a7 | head -n 1
sssd-1_12_5
So 1.12.5 that you tested from ppa should work and that is what you report.
I doubt we want to pull in all of 1.12.5 into trusty - the whole reasons to pull 1.11.8 (I assume) was that it was meant to be a bugfix only release.
So one has to evaluate if the patches would apply.
While checking that I realized that I accidentally created almost the full fix - so we could as well test it. But since I have no knowledge of sssd nor a setup I need you for that.
So I created a ppa at https:/ /launchpad. net/~paelzer/ +archive/ ubuntu/ trusty- sssd-bug- 1640805 and would like to have:
- a verification from you on the ppa
- a comment from Timo as he did the update to 1.11.8