** Description changed:
- During the first half of September, the Ubuntu sssd package has been
- updated from 1.11.5-1ubuntu3 to 1.11.8-0ubuntu0.2. We use sssd for
- authentication on a few dev servers and all our Ubuntu workstations.
- After the first systems began upgrading we noticed people are no longer
- able to login. Using the ui you're simply redirected to the login
- screen. With ssh the connection is closed right away:
+ [Impact]
+
+ * sssd authentication fails if only allow rules are used and
+ simple_allow_groups is set but group verification fails.
+
+ * That is a regression to the status before the last SRU update.
+
+ * The fix is a backport of the upstream fix for
+ https://fedorahosted.org/sssd/ticket/2519
+
+ [Test Case]
+
+ * Set up sssd (can be quite complex) with only allow rules and
+ simple_allow_rules config being set.
+
+ * Then authenticate a user/group combo where the group verification
+ fails
+
+ * This should succeed, but does no more since last update
+
+ [Regression Potential]
+
+ * Since this is a backport of a single fix, but lacks the other changes
+ that got upstream in-between there is the chance we missed in
+ code-review that there is more context needed to be backported that
+ could now cause other authentication issues.
+
+ [Other Info]
+
+ * Setup is so complex we likely have to rely on the reporter for
+ verification.
+
+ * Reporter tested with various config options for his issue - it would be
+ kind if he could do so as well for the proposed verification.
+
+ ---
+
+
+ During the first half of September, the Ubuntu sssd package has been updated
from 1.11.5-1ubuntu3 to 1.11.8-0ubuntu0.2. We use sssd for authentication on a
few dev servers and all our Ubuntu workstations. After the first systems began
upgrading we noticed people are no longer able to login. Using the ui you're
simply redirected to the login screen. With ssh the connection is closed right
away:
$ ssh username@nv-hostname04
- username@nv-hostname04's password:
+ username@nv-hostname04's password:
Connection closed by x.x.x.244
In the auth log we can see the following:
Nov 9 09:33:10 nv-hostname04 sshd[5397]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.250 user=username
Nov 9 09:33:10 nv-hostname04 sshd[5397]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.250 user=username
Nov 9 09:33:10 nv-hostname04 sshd[5397]: pam_sss(sshd:account): Access
denied for user username: 4 (System error)
Nov 9 09:33:10 nv-hostname04 sshd[5397]: Failed password for username from
x.x.x.250 port 54210 ssh2
Nov 9 09:33:10 nv-hostname04 sshd[5397]: fatal: Access denied for user
username by PAM account configuration [preauth]
Once I have downgraded the packages to the previous version everything
works fine again:
apt-get install -y --force-yes sssd=1.11.5-1ubuntu3
sssd-common=1.11.5-1ubuntu3 sssd-ad=1.11.5-1ubuntu3 sssd-ipa=1.11.5-1ubuntu3
sssd-krb5=1.11.5-1ubuntu3 sssd-ldap=1.11.5-1ubuntu3 sssd-proxy=1.11.5-1ubuntu3
python-sss=1.11.5-1ubuntu3 libsss-idmap0=1.11.5-1ubuntu3
sssd-ad-common=1.11.5-1ubuntu3 sssd-krb5-common=1.11.5-1ubuntu3
sssd-krb5-common=1.11.5-1ubuntu3 libipa-hbac0=1.11.5-1ubuntu3
sssd-ad-common=1.11.5-1ubuntu3 sssd-krb5-common=1.11.5-1ubuntu3
libsss-idmap0=1.11.5-1ubuntu3 sssd-krb5-common=1.11.5-1ubuntu3
echo 'sssd hold' | dpkg --set-selections
I started enabling sssd debug logs, starting from 3 up to 7. It seems
the problem is directly related to the fact that sssd cannot resolve the
name of a few groups. The users are part of different mailing lists
which we don't want listed on our Linux pcs.
(Wed Nov 9 09:33:10 2016) [sssd[be[ads.domain.com]]]
[simple_resolve_group_done] (0x0040): Refresh failed
(Wed Nov 9 09:33:10 2016) [sssd[be[ads.domain.com]]]
[simple_check_get_groups_next] (0x0040): Could not resolve name of group with
GID 2099314
(Wed Nov 9 09:33:10 2016) [sssd[be[ads.domain.com]]]
[simple_access_check_done] (0x0040): Could not collect groups of user username
I also noticed this is directly related to the simple_allow_groups
module that we use to allow login for specific groups. Here's what I
have tried and confirmed it fixes the issue:
1. comment out the line "simple_allow_groups = ", restart sssd =>
authentication works
2. change the "ldap_group_search_base" to include all un-resolvable groups,
restart sssd => authentication works.
For the sake of testing, I used the sssd/updates ppa to install version
1.12.5-1~trusty1 of the sssd. I can confirm in this version everything
works as expected. So basically:
broken: 1.11.8-0ubuntu0.2
good: 1.11.5-1ubuntu3
good: 1.12.5-1~trusty1
I looked at the upstream merges Ubuntu has done for 1.11.8, there are
around 5-6 changes but I cannot figure out which one introduced the
error.
The direct issue from sssd which describes the exact same issue is found
at: https://fedorahosted.org/sssd/ticket/2519 .
** Changed in: sssd (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1640805
Title:
SSSD authentication fails after upgrade to 1.11.8-0ubuntu0.2
To manage notifications about this bug go to:
https://bugs.launchpad.net/sssd/+bug/1640805/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
