Bug#886483: marked as done (sssd gets confused by existing config file)

Fri, 26 Jan 2018 01:27:48 -0800 

Your message dated Fri, 26 Jan 2018 09:25:10 +0000
with message-id <e1ef0fy-000bh9...@fasolo.debian.org>
and subject line Bug#886483: fixed in sssd 1.16.0-4
has caused the Debian Bug report #886483,
regarding sssd gets confused by existing config file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
886483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886483
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: sssd
Version: 1.16.0-3
Severity: minor

Dear Maintainer,

There is a regression in 1.16.0-2 and -3, rendering existing sssd configurations
unable to authenticate users. This happens if the old config file has 

services = nss, pam

in it. This used to be "the right way" of doing things but now with socket 
activated
nss and pam services sssd gets confused and its pam service no longer works. 
Removing
said line fixes it (hence "Severity: minor") but this is highly confusign to 
the admin
as the service seems to be up and running.

The clue is in the log:

Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: (Sat Jan  6 
14:50:47:876645 2018) [sssd] [main] (0x0010): Misconfiguration found for the 
pam responder.
Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: The pam 
responder has been configured to be socket-activated but it's still mentioned 
in the services' line in /etc/sssd/sssd.conf.
Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: Please, 
consider either adjusting your services' line in /etc/sssd/sssd.conf or 
disabling the pam's socket by calling:
Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: "systemctl 
disable sssd-pam.socket"
Jan 06 14:50:47 rigel systemd[1]: sssd-pam-priv.socket: Control process exited, 
code=exited status=17
Jan 06 14:50:47 rigel systemd[1]: sssd-pam-priv.socket: Failed with result 
'exit-code'.
Jan 06 14:50:47 rigel systemd[1]: Failed to listen on SSSD PAM Service 
responder private socket.
Jan 06 14:50:47 rigel systemd[1]: Dependency failed for SSSD PAM Service 
responder socket.
Jan 06 14:50:47 rigel systemd[1]: sssd-pam.socket: Job sssd-pam.socket/start 
failed with result 'dependency'.
Jan 06 14:50:47 rigel systemd[1]: Listening on SSSD NSS Service responder 
socket.

Note how the log says "please consider" instead of "this is an error, this will 
not work" and
later shows a failure.

>From the first "please consider" message I would presume sssd is supposed to 
>gracefully
recover. The service seems to start when needed and responds to some queries 
but always ends
auth process with

[sssd[pam]] [pam_dp_process_reply] (0x0010): Reply error.

And this means auth failure for pam of course.

Cheers,
Juha

P.S. This may be "works as intended" but considering it took me quite a while 
to figure
out why my existing, working configuration got broken and google came up with 
no help at all,
I would think at least getting this report onto google results would be helpful 
to some people.

Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sssd depends on:
ii  python3-sss  1.16.0-3
ii  sssd-ad      1.16.0-3
ii  sssd-common  1.16.0-3
ii  sssd-ipa     1.16.0-3
ii  sssd-krb5    1.16.0-3
ii  sssd-ldap    1.16.0-3
ii  sssd-proxy   1.16.0-3

sssd recommends no packages.

sssd suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: sssd
Source-Version: 1.16.0-4

We believe that the bug you reported is fixed in the latest version of
sssd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 886...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaal...@debian.org> (supplier of updated sssd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 22 Jan 2018 16:50:14 +0200
Source: sssd
Binary: sssd sssd-common sssd-ad sssd-ad-common sssd-dbus sssd-ipa sssd-kcm 
sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools libnss-sss 
libpam-sss libipa-hbac0 libipa-hbac-dev libsss-certmap0 libsss-certmap-dev 
libsss-idmap0 libsss-idmap-dev libsss-nss-idmap0 libsss-nss-idmap-dev 
libsss-sudo libsss-simpleifp0 libsss-simpleifp-dev libwbclient-sssd 
libwbclient-sssd-dev python-libipa-hbac python-libsss-nss-idmap python-sss 
python3-libipa-hbac python3-libsss-nss-idmap python3-sss
Architecture: source
Version: 1.16.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian SSSD Team <pkg-sssd-de...@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaal...@debian.org>
Description:
 libipa-hbac-dev - FreeIPA HBAC Evaluator library -- development files
 libipa-hbac0 - FreeIPA HBAC Evaluator library
 libnss-sss - Nss library for the System Security Services Daemon
 libpam-sss - Pam module for the System Security Services Daemon
 libsss-certmap-dev - Certificate mapping library for SSSD -- development files
 libsss-certmap0 - Certificate mapping library for SSSD
 libsss-idmap-dev - ID mapping library for SSSD -- development files
 libsss-idmap0 - ID mapping library for SSSD
 libsss-nss-idmap-dev - SID based lookups library for SSSD -- development files
 libsss-nss-idmap0 - SID based lookups library for SSSD
 libsss-simpleifp-dev - SSSD D-Bus responder helper library -- development files
 libsss-simpleifp0 - SSSD D-Bus responder helper library
 libsss-sudo - Communicator library for sudo
 libwbclient-sssd - SSSD libwbclient implementation
 libwbclient-sssd-dev - SSSD libwbclient implementation -- development files
 python-libipa-hbac - Python bindings for the FreeIPA HBAC Evaluator library
 python-libsss-nss-idmap - Python bindings for the SID lookups library
 python-sss - Python module for the System Security Services Daemon
 python3-libipa-hbac - Python3 bindings for the FreeIPA HBAC Evaluator library
 python3-libsss-nss-idmap - Python3 bindings for the SID lookups library
 python3-sss - Python3 module for the System Security Services Daemon
 sssd       - System Security Services Daemon -- metapackage
 sssd-ad    - System Security Services Daemon -- Active Directory back end
 sssd-ad-common - System Security Services Daemon -- PAC responder
 sssd-common - System Security Services Daemon -- common files
 sssd-dbus  - System Security Services Daemon -- D-Bus responder
 sssd-ipa   - System Security Services Daemon -- IPA back end
 sssd-kcm   - System Security Services Daemon -- Kerberos KCM server implementa
 sssd-krb5  - System Security Services Daemon -- Kerberos back end
 sssd-krb5-common - System Security Services Daemon -- Kerberos helpers
 sssd-ldap  - System Security Services Daemon -- LDAP back end
 sssd-proxy - System Security Services Daemon -- proxy back end
 sssd-tools - System Security Services Daemon -- tools
Closes: 886483
Changes:
 sssd (1.16.0-4) unstable; urgency=medium
 .
   * Revert installing responder service/socket files again.
     (Closes: #886483)
Checksums-Sha1:
 946140c03f612332eb8edc6a638fdb43a6f3be22 4605 sssd_1.16.0-4.dsc
 12bd0392f71972ca680a4ab0c3761cd7e2ea45ba 50275 sssd_1.16.0-4.diff.gz
Checksums-Sha256:
 5041186cea5b3ec557c98eaacab5f4267a8bdc5ef7210461aa87c2b0a5c94201 4605 
sssd_1.16.0-4.dsc
 b0f7df6692f16f159fa23399d4c881bedd918b19fa4eb671a2f037d9adaaba8c 50275 
sssd_1.16.0-4.diff.gz
Files:
 9c9ec4db9f7469836fddb507130f0b0d 4605 utils extra sssd_1.16.0-4.dsc
 2cb7f8a5f873c6cb4d8f586361331a5c 50275 utils extra sssd_1.16.0-4.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJaaukFAAoJEMtwMWWoiYTcYu0QAJvf3BeDPKQsjHbLM8QmejK/
FhwNHkWw2a+XvqjYzJhgATZpnU2VdrMxry0itsiG8X46vTK7JsQqkPaQEg5wHAq2
dA9GoXl/mw3X7hai5Zq+zsq+YQpqqGNfJG825vXUN6/fmq0nu6JI7CHN59yy05ei
kg4qt34DMDceu1bYHcfoab0X24t33COCmGk38mM8M5wR5RpuT1hjNfaUS3dDhQig
9/nRe8H15d9r1XDJ7UplwNibeFbwkD/UY1MgQ5hXiqcN4HIRH1bhhP3tcfAZgbF2
vYvMOh3hWLvaSj919AdNuposVurhmxvrNdA/WNg7UjaYD91Kz5JMmBtNW/2fU668
COA+Bf0GV2d+1enAZ+FUhCqc3IZxOVH32B+6Oz+kRrZxeRKiKFOcrWyWIRmPiYDY
a3ft3ebC8sSUJ/swzmszy5YYrBCHZQeKHvHS9UYWTYF9Wy7TxQ66MVaYor43WlRi
RzrxdfgsMwNvSY2oogF0iL0ZLhlMN8/QPe8KRqKRGvy+DgP6RSSqL8vmu1lpRKz2
tRJGyg80IFUy8BcNyFHsvkryvk647ItXQEsWk79/SnyDtqt6gwf02aeNuVBCv6W/
bPjmIQb7uWsDIM+klr6X101o8PBqjcKoRHp2a3ieu7wIWwkRifMbI9yYCF76q/oo
nA/uoQXvX/e/ulqqcVz7
=vGCu
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to