Bug#965143: sssd: SSSD 2.3 won't let log in or use sudo

2020-07-20 Thread Sam Morris 
Source: sssd
Followup-For: Bug #965143
Control: -1 + fixed-upstream patch

Upstream things this is https://github.com/SSSD/sssd/pull/5222 which
has been fixed upstream.

https://patch-diff.githubusercontent.com/raw/SSSD/sssd/pull/5222.patch

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (535, 'stable-updates'), (535, 'stable'), (520, 'testing'), (510, 
'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-8-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#965143: sssd: SSSD 2.3 won't let log in or use sudo

2020-07-16 Thread Sam Morris 
Package: sssd
Version: 2.3.0-2
Severity: grave
Justification: renders package unusable

This locks me out of my systems.

$ sudo -l
[sudo] password for sam.morris@ad.domain.example: 
Sorry, try again.
[sudo] password for sam.morris@ad.domain.example: 
Sorry, try again.
[sudo] password for sam.morris@ad.domain.example: 
sudo: 3 incorrect password attempts

Each authentication attempt logs the following in sssd_pam.log:

(2020-07-16 18:08:38): [pam] [sysdb_search_user_by_upn_res] (0x0040): 
Search for upn [sam.morris@ad.domain.example] returns more than one result. One 
of the possible reasons can be that several users share the same email address.
(2020-07-16 18:08:38): [pam] [sysdb_search_user_by_upn] (0x0040): Error: 22 
(Invalid argument)
(2020-07-16 18:08:38): [pam] [sysdb_initgroups_by_upn] (0x0040): 
sysdb_search_user_by_upn() failed.
(2020-07-16 18:08:38): [pam] [cache_req_search_cache] (0x0020): CR #12: 
Unable to lookup [sam.morris@ad.domain.example] in cache [22]: Invalid argument
(2020-07-16 18:08:38): [pam] [pam_check_user_search_next] (0x0020): Fatal 
error, killing connection!

My user exists in an Active Directory domain that has a one-way trust
established via FreeIPA.

We do indeed have several users with the same email address. That's
(until now) been a perfectly valid setup (one human has several accounts
for performing different roles and they all have the same email
address).

Downgrading to 2.2.3-3 fixes the problem. It's necessary to remove the
sssd database after downgrading.

I've had a quick scan of the commits between 2.2.3 and 2.3.0 and
nothing's jumped out at me yet. I'll take another look later...

-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), 
(550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 
'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages sssd depends on:
ii  python3-sss  2.3.0-2
ii  sssd-ad  2.3.0-2
ii  sssd-common  2.3.0-2
ii  sssd-ipa 2.3.0-2
ii  sssd-krb52.3.0-2
ii  sssd-ldap2.3.0-2
ii  sssd-proxy   2.3.0-2

sssd recommends no packages.

sssd suggests no packages.

-- no debconf information