[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

Tue, 17 Jan 2017 01:56:49 -0800 

It seems something got corrupted in my ipa setup. I found this in the
sssd log file on Wheezy:

(Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing 
source hosts for rule [allow_all]
(Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on 
[cn=System: Manage Host 
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
(Tue Jan 17 10:19:02 2017) [hbac_ctx_to_rules] (0x0020): Could not construct 
eval request
(Tue Jan 17 10:19:02 2017) [ipa_hbac_evaluate_rules] (0x0020): Could not 
construct HBAC rules
(Tue Jan 17 10:19:02 2017) [be_pam_handler_callback] (0x0100): Backend 
returned: (3, 4, <NULL>) [Internal Error (System error)]
(Tue Jan 17 10:19:02 2017) [be_pam_handler_callback] (0x0100): Sending result 
[4][example.de]
(Tue Jan 17 10:19:02 2017) [be_pam_handler_callback] (0x0100): Sent result 
[4][example.de]

This happens on a login via ssh, or if I run "su - username" as
root. The su session gives just a warning, but for sshd I have to
disable pam to allow remote logins.

Complete log is attached, of course.


Every helpful comment is highly appreciated.
Harri

(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [be_get_account_info] (0x0100): Got request for [3][1][name=jupp]
(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=de]
(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jupp)(objectclass=posixAccount))][cn=accounts,dc=example,dc=de].
(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [sdap_save_user] (0x0400): Storing info for user jupp
(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [uid=jupp,cn=users,cn=accounts,dc=example,dc=de] using OpenLDAP deref
(Tue Jan 17 10:19:01 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][uid=jupp,cn=users,cn=accounts,dc=example,dc=de].
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_parse_deref] (0x0080): Dereferenced entry [cn=User Administrator,cn=roles,cn=accounts,dc=example,dc=de] has no attributes
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_x_deref_parse_entry] (0x0040): sdap_parse_deref failed [22]: Invalid argument
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_done] (0x0020): reply parsing callback failed.
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_x_deref_search_done] (0x0100): sdap_get_generic_ext_recv failed [22]: Invalid argument
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_deref_search_done] (0x0040): dereference processing failed [22]: Invalid argument
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init Groups Failed
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): domain: example.de
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): user: jupp
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): service: su
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): tty: /dev/pts/4
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): ruser: root
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): rhost: 
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): authtok type: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): authtok size: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): newauthtok size: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): priv: 1
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): cli_pid: 15885
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_access_send] (0x0400): Performing access check for user [jupp]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [jupp]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=vdpcl023.vs.example.de))][cn=accounts,dc=example,dc=de].
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=vdpcl023.vs.example.de,cn=computers,cn=accounts,dc=example,dc=de] using OpenLDAP deref
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=vdpcl023.vs.example.de,cn=computers,cn=accounts,dc=example,dc=de].
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=example,dc=de][2][(objectClass=ipaHBACService)]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=example,dc=de].
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=example,dc=de][2][(objectClass=ipaHBACServiceGroup)]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=example,dc=de].
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=example,dc=de][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=vdpcl023.vs.example.de,cn=computers,cn=accounts,dc=example,dc=de)))]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=vdpcl023.vs.example.de,cn=computers,cn=accounts,dc=example,dc=de)))][cn=hbac,dc=example,dc=de].
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [hbac_eval_user_element] (0x0080): Parse error on [cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [hbac_ctx_to_rules] (0x0020): Could not construct eval request
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [ipa_hbac_evaluate_rules] (0x0020): Could not construct HBAC rules
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.de]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.de]
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): domain: example.de
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): user: jupp
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): service: su
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): tty: /dev/pts/4
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): ruser: root
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): rhost: 
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): authtok type: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): authtok size: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): newauthtok size: 0
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): priv: 1
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): cli_pid: 15885
(Tue Jan 17 10:19:02 2017) [sssd[be[example.de]]] [be_pam_handler] (0x0100): Sending result [0][example.de]
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): command: PAM_CLOSE_SESSION
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): domain: example.de
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): user: jupp
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): service: su
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): tty: /dev/pts/4
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): ruser: root
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): rhost: 
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): authtok type: 0
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): authtok size: 0
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): newauthtok size: 0
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): priv: 1
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): cli_pid: 15885
(Tue Jan 17 10:19:03 2017) [sssd[be[example.de]]] [be_pam_handler] (0x0100): Sending result [0][example.de]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to