sss_obfuscate breaks /etc/sssd/sssd.conf

I'm not able to reproduce this in the current Xenial release, which Ubuntu Release / Package version did this issue occur in?

[Expired for sssd (Ubuntu) because there has been no activity for 60 days.]

This was on trusty/vivid/wiley and just tried on xenial with latest updates: same thing:

diff -u sssd.conf.ok sssd.conf

--- sssd.conf.ok 2017-09-27 04:41:37.686277498 +0000
+++ sssd.conf 2017-09-27 04:43:10.589649195 +0000
@@ -26,7 +26,7 @@
 ssh_known_hosts_timeout = 180

 [domain/LDAP]
-debug_level = 0x00F0
+debug_level = 240
 #debug_level = 65535

 # To force, that sss obtains group memberships via the ou=group subtree instead
@@ -34,9 +34,7 @@
 # However, since Solaris uses rfc2307bis wrt. automounter, we adjust the related
 # mapping - perhaps sometinmes Ubuntu supports automount entries via nss.
 ldap_schema = rfc2307
-ldap_autofs_map_object_class = automountMap
 ldap_autofs_map_name = automountMapName
-ldap_autofs_entry_key = automountKey
 ldap_user_ad_account_expires = ds-pwp-account-expiration-time

 id_provider = ldap
@@ -44,7 +42,6 @@
 #chpass_provider = ldap
 #autofs_provider = ldap
 #hostid_provider = ldap
-selinux_provider = none

 # NOTE: It is absolutely important to use the FQDN of the ldap server, NOT its
 # IP address, since the IP address is usually not in the CN or AltSubjectNames
@@ -61,7 +58,6 @@
 ldap_group_search_base = ou=group,ou=wg,ou=department,o=devision?one?
 ldap_netgroup_search_base = ou=netgroup,ou=wg,ou=department,o=devision?one?
 ldap_service_search_base = ou=services,ou=wg,ou=department,o=devision?one?
-ldap_autofs_search_base = ou=wg,ou=department,o=devision?one?
 #ldap_sudo_search_base =

 #ldap_ns_account_lock
@@ -90,3 +86,4 @@
 # https://fedorahosted.org/sssd/
 # https://jhrozek.fedorapeople.org/sssd/1.12.3/man/
 # https://wiki.ubuntu.com/Enterprise/Authentication/sssd
+ldap_default_authtok = AAAQAC9lCrBXPIv1mfF11myY8rhuPBmKpW2d9Rd5uwq4rQZHfsMkik6rC0sAtmy4am5e2+bFBtIWU6PzWPrsSqytwGcAAQID

Hi,

I'm trying to reproduce this bug to see if it's still valid, but so far I haven't had much success. I tried crafting a /etc/sssd/sssd.conf using Jens' diff, but after using sss_obfuscate on it I only see a small excerpt being added to the end of the config file, and no lines being removed.

I also looked at upstream's bug reports and tried finding something related to this. There are some sss_obfuscate bugs that have been fixed over the years, but nothing that really resembles this one.

Jens, would it be possible for you to check if this bug is still reproducible, and to provide reproduction steps please? Meanwhile, I will set this bug as Incomplete.

Moreover, I would like to post a comment made by one of the sssd developers regarding sss_obfuscate:

====
First, an aside: please do not use the sss_obfuscate tool. It is virtually useless and provides zero security benefit. It was added to placate a customer who was paying a brain-dead auditor to review their use of the code. Obfuscated passwords are 100% reversible encryption. Anyone who has access to the sssd.conf can trivially reverse the password and get its plaintext password. They need only take a look at the well-commented source code of the sss_obfuscate tool. Given that the sssd.conf file is already forced to be readable only by root, the obfuscation is an unnecessary option that only gives an illusion of added security, we strongly recommend against using it at all.
====

With that in mind, and assuming that the bug is still valid, I consider it to be low priority.

Thanks.

[Expired for sssd (Ubuntu) because there has been no activity for 60 days.]