[Freeipa-users] sssd/pam login issues after upgrade to 2.2.1 on Fedora 17

Anthony Messina amessina at messinet.com
Sun Nov 11 22:37:46 UTC 2012 

After upgrading to freeipa-{client,server}-2.2.1-1.fc17.x86_64 today, my 
clients are no longer able to login via kdm or ssh (and perhaps others).  The 
secure log shows the following:

sshd[28922]: pam_sss(sshd:account): Access denied for user amessina: 4 (System 
error)

Of note, I have always had the HBAC allow_all rule enabled--I've never done 
anything with HBAC since I began using IPA.

The problem and resolution seems to be the same as 
https://www.redhat.com/archives/freeipa-users/2012-September/msg00016.html

where if I uninstall IPA on the clients, then remove the host on the IPA 
server, then reinstall on the client, things work as expected.

I have done this for all but one of the clients, and of course, the IPA 
server, which itself is a client.

I have increased sssd debugging and find that when trying to login to the 
servers that have not been reinstalled as above, I get the following 
significant error in sssd_<domain>.log:

(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [be_pam_handler] (0x0100): 
Got request with the following data
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
command: PAM_ACCT_MGMT
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
domain: messinet.com
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
user: amessina
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
service: sshd
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
tty: ssh
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
ruser: 
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
rhost: 2001:470:c1dc:7779:d6be:d9ff:fe8d:7c1e
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
authtok type: 0
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
authtok size: 0
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
newauthtok size: 0
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
priv: 1
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data] (0x0100): 
cli_pid: 9069
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [sdap_access_send] 
(0x0400): Performing access check for user [amessina]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user 
[amessina]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(objectClass=ipaHost)(fqdn=ds.messinet.com))]
[cn=accounts,dc=messinet,dc=com].
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostName]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f553cd5a500], connected[1], ops[0x7f553cd653a0], 
ldap[0x7f553cd56e20]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
[sdap_get_generic_ext_done] (0x1000): Total count [0]
(Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [be_pam_handler_callback] 
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

I also find that when I do a manual ldapsearch for the non-upgraded clients as 
follows:

ldapsearch -x -D "cn=directory manager" -W -b cn=accounts,dc=messinet,dc=com 
"(&(objectClass=ipaHost)(fqdn=*))" dn

the non-upgraded clients DO NOT appear in the list, but if I do the following:

ldapsearch -x -D "cn=directory manager" -W -b cn=accounts,dc=messinet,dc=com 
"(&(objectClass=ipaHost))" dn

the non-upgraded clients DO appear in the list.  Somehow the addition of the 
fqdn=* in the filter "(&(objectClass=ipaHost)(fqdn=*))" prevents them from 
being displayed.

There were no errors on any of the servers or clients during the upgrade.

Your help is appreciated.  I've tried to get this corrected all day without 
success.

Thanks in advance.  -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121111/26915a6d/attachment.sig>

More information about the Freeipa-users mailing list