[Freeipa-users] 4.1.0: Logon issue after upgrading IPA

Andreas Skarmutsos Lindh andreas at superblock.se
Mon Mar 16 21:03:39 UTC 2015 

Hi everyone,

After upgrading (using rpm, yum upgrade) I can no longer login to my
machines using ssh. Before the upgrade everything was working fine.

Some loose facts:
- I'm installing IPA packages from the RHEL repositories onto RHEL systems,
so I'm not sure if this is the right mailing list to ask for assistance
- I have a basic setup of IPA with minimum rules (deleted HBAC rules to
single that out), using SSSD+PAM.
- Both other machines that are upgraded to a more recent version of sssd
and it's fellow packages and servers which was not yum upgraded are
affected by the issue, thus, everything seems to point at IPA.
- I'm able to obtain a kerberos ticket via kinit
- Running the following package version: ipa-server-4.1.0-18.el7.x86_64

SSH returns (adding -vvv hardly tells me anything useful):
Connection closed by UNKNOWN

I think that I have boiled down the issue to the following..
Both clients with upgraded sssd (1.12.2-58) and non upgraded clients
(1.11.2-65) give me the following output in sssd_<domain>.log:
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [hbac_eval_user_element]
(0x0080): Parse error on [cn=Modify PassSync Managers
Configuration+nsuniqueid=21e13243-cbd011e4-ba3a9b82-0e1e4aae,cn=permissions,cn=pbac,dc=domain,dc=com]
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [hbac_ctx_to_rules]
(0x0020): Could not construct eval request
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [ipa_hbac_evaluate_rules]
(0x0020): Could not construct HBAC rules
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [be_pam_handler_callback]
(0x0100): Sending result [4][domain.com]
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [be_pam_handler_callback]
(0x0100): Sent result [4][domain.com]
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f5711099220], connected[1], ops[(nil)],
ldap[0x7f571108d0e0]
(Mon Mar 16 14:12:17 2015) [sssd[be[domain.com]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!

I'm happy to attach more logs if needed.
I would very much like to avoid rolling back to an older IPA version by
reinstalling everything from scratch.
Any and all help would be very much appreciated.

Thanks in advance,
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150316/97d03c75/attachment.htm>

More information about the Freeipa-users mailing list