https://bugzilla.redhat.com/show_bug.cgi?id=2319608
Bug ID: 2319608
Summary: python3-sssdconfig packs outdated .pyc files
Product: Fedora
Version: rawhide
OS: Linux
Status: NEW
Component: sssd
Keywords: Regression
Severity: medium
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: jpazdziora(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
The /usr/lib/python3.13/site-packages/SSSDConfig/__pycache__/*.cpython-313.pyc
/usr/lib/files get regenerated when SSSDConfig module is used.
Reproducible: Always
Steps to Reproduce:
1. dnf install -y python3-sssdconfig
2. stat
/usr/lib/python3.13/site-packages/SSSDConfig/__pycache__/__init__.cpython-313.pyc
3. python3 -c 'import SSSDConfig'
4. stat
/usr/lib/python3.13/site-packages/SSSDConfig/__pycache__/__init__.cpython-313.pyc
Actual Results:
[root@0890eef375bc /]# stat
/usr/lib/python3.13/site-packages/SSSDConfig/__pycache__/__init__.cpython-313.pyc
File:
/usr/lib/python3.13/site-packages/SSSDConfig/__pycache__/__init__.cpython-313.pyc
Size: 57759 Blocks: 120 IO Block: 4096 regular file
Device: 0,109 Inode: 1226072 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-10-15 00:00:00.000000000 +0000
Modify: 2024-10-15 00:00:00.000000000 +0000
Change: 2024-10-18 09:46:42.433097566 +0000
Birth: 2024-10-18 09:46:42.432097551 +0000
[root@0890eef375bc /]# python3 -c 'import SSSDConfig'
[root@0890eef375bc /]# stat
/usr/lib/python3.13/site-packages/SSSDConfig/__pycache__/__init__.cpython-313.pyc
File:
/usr/lib/python3.13/site-packages/SSSDConfig/__pycache__/__init__.cpython-313.pyc
Size: 59402 Blocks: 120 IO Block: 4096 regular file
Device: 0,109 Inode: 1196042 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-10-18 09:47:14.646592272 +0000
Modify: 2024-10-18 09:47:14.646592272 +0000
Change: 2024-10-18 09:47:14.646592272 +0000
Birth: 2024-10-18 09:47:14.646592272 +0000
Expected Results:
The Size and Modify time in the second stat run should match the output from
the first one.
First found by
https://github.com/freeipa/freeipa-container/actions/runs/11397511703/job/3….
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2319608
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2320042
Bug ID: 2320042
Summary: [abrt] sssd-tools: set_component():
source_files.py:73:set_component:OSError
Product: Fedora
Version: 41
Hardware: x86_64
Status: NEW
Whiteboard: abrt_hash:a5a6dd78a14a8d86bce922d86636e1cb2da53ec6;VAR
IANT_ID=workstation;
Component: sssd
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: maxi(a)maxiicodes.dev
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Version-Release number of selected component:
sssd-tools-2.10.0-1.fc41
Additional info:
reporter: libreport-2.17.15
kernel: 6.11.4-300.fc41.x86_64
cmdline: /usr/bin/python3 -sP /usr/libexec/sssd/sss_analyze error list
cgroup:
0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-cosmic-com.system76.CosmicAppList-3787.scope
uid: 1000
reason: source_files.py:73:set_component:OSError
executable: /usr/libexec/sssd/sss_analyze
type: Python3
package: sssd-tools-2.10.0-1.fc41
runlevel: N 5
exception_type: OSError
crash_function: set_component
interpreter: python3-3.13.0-1.fc41.x86_64
Truncated backtrace:
source_files.py:73:set_component:OSError
Traceback (most recent call last):
File "/usr/libexec/sssd/sss_analyze", line 5, in <module>
sss_analyze.run()
~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/site-packages/sssd/sss_analyze.py", line 107, in
run
analyzer.main()
~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/site-packages/sssd/sss_analyze.py", line 102, in
main
args.func(args)
~~~~~~~~~^^^^^^
File "/usr/lib/python3.13/site-packages/sssd/modules/error.py", line 52, in
print_error
source.set_component(component, False)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/sssd/source_files.py", line 73, in
set_component
raise IOError
OSError
Local variables in innermost frame:
self: <sssd.source_files.Files object at 0x7f0cd2976e40>
component: <Component.BE: 3>
child: False
domains: []
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2320042
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2320133
Bug ID: 2320133
Summary: When installing sssd-ipa package in rpm-ostree image,
selinux_child loses capabilities defined in the RPM
package
Product: Fedora
Version: 41
OS: Linux
Status: NEW
Component: sssd
Severity: medium
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: abokovoy(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
If rpm-ostree-based image includes sssd-ipa, the resulting
/usr/libexec/sssd/selinux_child does not have expected file capabilities
present:
# getcap -v /usr/libexec/sssd/*child
/usr/libexec/sssd/gpo_child
/usr/libexec/sssd/krb5_child
cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child
cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/oidc_child
/usr/libexec/sssd/p11_child
/usr/libexec/sssd/passkey_child
/usr/libexec/sssd/proxy_child
/usr/libexec/sssd/selinux_child
The capabilities are present in the RPM database:
$ rpm -q --filecaps sssd-ipa | grep selinux_child
/usr/libexec/sssd/selinux_child
cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
Lack of capabilities on the selinux_child causes PAM account phase to fail:
(2024-10-21 10:11:05): [be[example.test]] [selinux_child_done] (0x0020):
[RID#5] selinux_child_parse_response failed: [22][Invalid argument]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2024-10-21 10:11:05): [be[example.test]] [sdap_handle_release] (0x2000):
Trace: sh[0x56040e7054d0], connected[1], ops[(nil)], ldap[0x56040e74efb0],
destructor_lock[0], release_memory[0]
* (2024-10-21 10:11:05): [be[example.test]] [remove_connection_callback]
(0x4000): Successfully removed connection callback.
* (2024-10-21 10:11:05): [be[example.test]] [_read_pipe_handler] (0x0400):
[RID#5] EOF received, client finished
* (2024-10-21 10:11:05): [be[example.test]] [selinux_child_done] (0x0020):
[RID#5] selinux_child_parse_response failed: [22][Invalid argument]
********************** BACKTRACE DUMP ENDS HERE
*********************************
Reproducible: Always
Steps to Reproduce:
1. Build an image with sssd-ipa package installed
2. Rebase to this image with rpm-ostree rebase REFSPEC
3. Enroll the system to IPA domain
4. Attempt to login as IPA user
Actual Results:
Failure to login, with a result in the logs 'System error'
Expected Results:
Login to system with IPA user is successful
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2320133
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2305856
Bug ID: 2305856
Summary: sss_ssh_knownhosts man page does not contain
information about replacements
Product: Fedora
Version: rawhide
OS: Linux
Status: NEW
Component: sssd
Severity: medium
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: orion(a)nwra.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
ssh fails with:
******************************************************************************
Your system is configured to use the obsolete tool sss_ssh_knownhostsproxy.
Please read the sss_ssh_knownhosts(1) man page to learn about its replacement.
******************************************************************************
But man sss_ssh_knownhosts contains just:
SSS_SSH_KNOWNHOSTS(1) SSSD Manual pages
SSS_SSH_KNOWNHOSTS(1)
NAME
sss_ssh_knownhosts - get OpenSSH known hosts public keys
SYNOPSIS
sss_ssh_knownhosts [options] HOST
DESCRIPTION
sss_ssh_knownhosts acquires SSH public keys for host HOST and outputs
them in OpenSSH known_hosts key format (see the
“SSH_KNOWN_HOSTS FILE FORMAT” section of sshd(8) for more information).
ssh(1) can be configured to use sss_ssh_knownhosts for public key host
authentication using the “KnownHostsCommand”
option:
KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H
Please refer to the ssh_config(5) man page for more details about this
option.
OPTIONS
-d,--domain DOMAIN
Search for host public keys in SSSD domain DOMAIN.
-?,--help
Display help message and exit.
EXIT STATUS
In case of successful execution, even if no key was found, 0 is
returned. 1 is returned in case of error.
SEE ALSO
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5),
sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5),
sssd-sudo(5), sssd-session-recording(5), sss_cache(8),
sss_debuglevel(8), sss_obfuscate(8), sss_seed(8),
sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(1),
sss_ssh_knownhosts(1), sssd-ifp(5), pam_sss(8).
sss_rpcidmapd(5) sssd-systemtap(5)
AUTHORS
The SSSD upstream - https://github.com/SSSD/sssd/
SSSD 07/22/2024
SSS_SSH_KNOWNHOSTS(1)
and no information about a replacement or it being obsolete.
sssd-2.10.0~beta2-3.fc41.x86_64
Reproducible: Always
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2305856
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=1886841
Bug ID: 1886841
Summary: Pinpad card reader for login authentication yet you
are asked also enter pin on pc keyboard
Product: Fedora
Version: 32
Hardware: x86_64
URL: https://lists.fedoraproject.org/archives/list/freeipa-
users(a)lists.fedorahosted.org/thread/FLLIA5RLHT3MO4NI2F
3MJNMBBNGGZA4Z/
OS: Linux
Status: NEW
Component: sssd
Severity: high
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: peter(a)unix-edu.se
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
mzidek(a)redhat.com, pbrezina(a)redhat.com,
rharwood(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Build Identifier:
Hello Folks!
We are working on getting smart card authentication working using pinpad card
readers for improved security.
To do this we use:
FreeIPA Server is running on Fedora 32 with latest updates.
FreeIPA Clients is Fedora 32 Workstation installed on pc with latest updates
with connected usb card reader.
The card reader is Gemalto CT700 with pinpad, we use several user individual
SmartCard HSM 4K with FreeIPA signed certificates on them.
FreeIPA Clients run OpenSC and are configured to use smartcard certificate
based authentication, setup per Smartare HSM best practice.
Further clients are using SSSD and not PAM_PKCS#11.
All working great using smartcard for authentication, as long not enabling the
pinpad in opensc.
If doing so we are prompted for the PIN not only in the pinpad reader but also
GDM prompts you to enter PIN on keyboard.
Expected result is to be logged in directly after entering correct PIN code on
pinpad reader, not being prompted by GDM to enter PIN on keyboard as well.
If enabling pinpad in opensc, login gets a bit odd:
1. Fedora 32 Workstation GDM menu prompts a few users that can login.
2. Smartcard is inserted in reader.
3. GDM blanks out the screen and smartcard reader prompts to enter PIN in its
lcd display.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard
reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of
directly being logged in to the window manager, here Gnome (or xfce, whatever
window manager you selected to use).
6. You have to enter the PIN now on keyboard, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN in its lcd display.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok
button.
9. You are now logged in, and all is normal. If ripping out the smartcard from
reader the screen locks, as expected.
Sometimes, but not always, you are logged in to window manager directly after
step 5.
What could this be, anyone who have seen this before or know how to set it up ?
Reproducible: Always
Steps to Reproduce:
1. Install and setup FreeIPA server and client on Fedora32 latest updates to
use smartcard authentication for login.
Work on IPA Server:
-------------------
Install Fedora 32 server minimal installation all excluded, update to latest
version (dnf update -y), set hostname, enter server hostname
(ipaserver.mydomain.com) and ip in /etc/hosts, enable and start chrony, reboot.
(As root user)
dnf install ipa-server bind-dyndb-ldap ipa-server-dns -y
for SERVICES in ntp http https ldap ldaps kerberos kpasswd dns; do firewall-cmd
--permanent --add-service=$SERVICES; done
ipa-server-install --setup-dns
.
.
.
Add one secondary DNS in /etc/NetworkManager/conf.d/zzz-ipa.conf
klist
kinit admin
authselect select sssd with-sudo with-mkhomedir
ipa user-add user3 --first=user3 --last=test --email=user3(a)mydomain.com
--shell=/bin/bash --password
id user3
ipa user-find user3
ssh user3(a)ipaserver.mydomain.com
(change password)
reboot
(As root user)
klist
kinit admin
ipa-advise config-server-for-smart-card-auth >
config-server-for-smart-card-auth.sh
chmod u+x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh /etc/ipa/ca.crt
.
.
reboot
ipa-advise config-client-for-smart-card-auth >
/tmp/config-client-for-smart-card-auth.sh
chmod a+r /tmp/config-client-for-smart-card-auth.sh
Work on Fedora 32 workstation:
------------------------------
Install Fedora 32 Workstation from live dvd to PC, update to latest version
(dnf update -y), set hostname, enter server hostname (workstation.mydomain.com)
and ip in /etc/hosts, enable and start chrony.
change/add to /etc/sysconfig/network-scripts/reboot, so IPA server becomes
primary DNS for the Fedora 32 Workstation:
PEERDNS=no
DNS1=<ipa server ip address>
DNS2=<second dns server>
SEARCH=mydomain.comDOMAIN=mydomain.com
Then reboot
Login and check that DNS is working.
(as root user)
dnf install freeipa-client.x86_64 -y
ipa-client-install --mkhomedir
id user3
reboot
Connect gemalto CT700 card reader to pc/Fedora Workstation.
lsusb
dnf install opensc ccid pcsc-tools -y
systemctl enable pcscd
systemctl start pcscd
scp user3@ipaserver:/tmp/config-client-for-smart-card-auth.sh .
chmod +x config-client-for-smart-card-auth.sh
./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt
.
.
.
In /etc/opensc.conf enable pinpad by uncommenting enable_pinpad = true;
Ensure pam_cert_auth is true in sssd.conf:
grep ^pam_cert_auth /etc/sssd/sssd.conf
pam_cert_auth = True
authselect select sssd with-mkhomedir with-sudo with-smartcard
with-smartcard-lock-on-removal --force
authselect current
reboot
2. Prepare smartcard-hsm with user3 certificate using
(as root user)
kinit admin
Insert smartcard-hsm in gemalto ct700 card reader!
pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Ezio Shield (I<some number>) 00 00
Wed Sep 23 14:12:27 2020
Reader 0: Gemalto Ezio Shield (I<some number>) 00 00
.
.
.
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
<some hex number>
Smartcard-HSM
http://www.cardcontact.de/products/sc-hsm.html
pensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes PIN pad Gemalto Ezio Shield (I<some number>) 00 00
pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Gemalto Ezio Shield (I<some number>) 00 00
token label : UserPIN (SmartCard-HSM)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, PIN pad present, rng, token initialized,
PIN initialized
hardware version : 24.13
firmware version : 2.5
serial num : DECM<some number>
pin min/max : 6/15
sc-hsm-tool --create-dkek-share dkek-share-1.pbe
.
.
.
sc-hsm-tool --initialize --so-pin <long pincode> --pin <pincode> --dkek-shares
1
sc-hsm-tool
.
.
.
DKEK shares : 1
DKEK import pending, 1 share(s) still missing
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
.
.
.
Enter password to decrypt DKEK share : <pincode>
sc-hsm-tool
.
.
.
DKEK shares : 1
DKEK key check value : <some hex code>
# generate keypair
pkcs11-tool --module opensc-pkcs11.so --login --pin <pincode> --keypairgen
--key-type rsa:2048 --id 10 --label "HSM RSA Key user3"
pkcs11-tool --list-objects
.
.
.
pkcs11-tool --test --login --pin <pincode>
.
.
.
# Backup DKEK
sc-hsm-tool --wrap-key wrap-key-1.bin --key-reference 1 --pin <pincode>
# Extract card public key for slot 10
pkcs15-tool --read-public-key 10 > user3.pub
# Prepping for and Create CSR to sign by IPA for user3
# Create a file hsm.conf with the content below
cat hsm.conf
# PKCS11 engine config
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
# empty.
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
PIN =
init = 0
# Test that hsm.conf is working, and find pkcs11 engine
OPENSSL_CONF=./hsm.conf openssl engine
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
(pkcs11) pkcs11 engine
# Create CSR to sign by IPA for user3
OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 10
-sha256 -out user3.csr -subj "/CN=user3"
Login to IPA server using the web interface https://ipaserver.mydomain.com
(this can be performed from command line as well, but we did use the web
interface to IPA)
user user3 Actions -> new certificate
select profile IECuserRoles
copy "user3.csr" from above and paste it in and click "issue" (IPA now sign the
CSR)
To retrieve the signed certificate for user3:
user user3 by Certificates click Actions -> Download and save as. (it downloads
as cert.pem)
Copy the downloaded cerificate (cert.pem) to host with card reader (Fedora 32
Workstation)
Rename it:
mv cert.pem user3.pem
# convert to der format:
openssl x509 -in user3.pem -out user3.der -outform der
# write it to the card in slot 10
pkcs11-tool --module opensc-pkcs11.so --login --pin <pincode> --write-object
user36.der --type cert --id 10
# check that it is there:
pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: Certificate
subject: DN: O=MYDOMAIN.COM, CN=user3
ID: 10
Public Key Object; RSA 2048 bits
label: Certificate
ID: 10
Usage: encrypt, verify
Smartcard should now be ready for use with IPA.
3. Now try login to workstation.mydomain.com using GDM using the smartcard
issued for user3
Note! user3 password must not have been expired, it should be fixed by the
initial login test above.
As per details above:
1. Fedora 32 Workstation GDM menu prompts a few users that can login.
2. Smartcard is inserted in reader.
3. GDM blanks out the screen and smartcard reader prompts to enter PIN in its
lcd display.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard
reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of
directly being logged in to the window manager, here Gnome (or xfce, whatever
window manager you selected to use).
6. You have to enter the PIN now on keyboard, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN in its lcd display.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok
button.
9. You are now logged in, and all is normal. If ripping out the smartcard from
reader the screen locks, as expected.
Sometimes, but not always, you are logged in to window manager directly after
step 5.
Actual Results:
You are asked to enter PIN using pinpad on card reader followed by enter PIN
using the keyboard, then you are logged in.
Sometimes you need to enter PIN on pinpad once more after entering PIN using
the keyboard.
Expected Results:
Directly after entering correct PIN using pinpad on card reader you should be
logged in.
Versions:
Fedora32 with latest updates per Oct 9 2020.
freeipa-server-4.8.10-5.fc32.x86_64
freeipa-client-4.8.10-5.fc32.x86_64
sssd-client-2.3.1-2.fc32.x86_64
opensc-0.20.0-6.fc32.x86_64
pcsc-lite-libs-1.9.0-1.fc32.x86_64
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2308428
Bug ID: 2308428
Summary: Failed to start sssd-kcm.socket service
Product: Fedora
Version: 41
OS: Linux
Status: NEW
Component: sssd
Severity: high
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: pnemade(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
I upgraded my Fedora 40 Silverblue system to Fedora 41 Silverblue system. I am
using toolbox on this upgraded system to use kinit command. However I found its
failed with error "kinit: Connection refused while getting default ccache"
I then checked for any failed services on this system and found below
parag@f41sb:~$ sudo systemctl status sssd-kcm.service
× sssd-kcm.service - SSSD Kerberos Cache Manager
Loaded: loaded (/usr/lib/systemd/system/sssd-kcm.service; indirect;
preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: failed (Result: exit-code) since Thu 2024-08-29 08:36:37 IST; 2min
14s ago
Duration: 17ms
Invocation: a0e98bf8241640c3b720f1beeeaa5293
TriggeredBy: × sssd-kcm.socket
Docs: man:sssd-kcm(5)
Process: 2766 ExecStartPre=/bin/chown -f sssd:sssd /etc/sssd/sssd.conf
(code=exited, status=1/FAILURE)
Process: 2771 ExecStartPre=/bin/chown -f -R sssd:sssd /etc/sssd/conf.d
(code=exited, status=0/SUCCESS)
Process: 2773 ExecStart=/usr/libexec/sssd/sssd_kcm ${DEBUG_LOGGER}
(code=exited, status=3)
Main PID: 2773 (code=exited, status=3)
Aug 29 08:36:37 f41sb sssd_kcm[2773]: Failed to connect to
'/var/lib/sss/secrets/secrets.ldb' with backend 'tdb': Unable to open tdb
'/var/lib/sss/secrets/secrets.ldb': Permission denied
Aug 29 08:36:37 f41sb sssd_kcm[2773]: (2024-08-29 8:36:37): [kcm]
[sss_sec_init] (0x0020): Failed to initialize secdb [5]: Input/output error
Aug 29 08:36:37 f41sb sssd_kcm[2773]: (2024-08-29 8:36:37): [kcm]
[ccdb_secdb_init] (0x0020): Cannot initialize the security database
Aug 29 08:36:37 f41sb sssd_kcm[2773]: (2024-08-29 8:36:37): [kcm]
[kcm_ccdb_init] (0x0020): Cannot initialize ccache database
Aug 29 08:36:37 f41sb sssd_kcm[2773]: (2024-08-29 8:36:37): [kcm]
[kcm_process_init] (0x0010): fatal error initializing responder data
Aug 29 08:36:37 f41sb systemd[1]: sssd-kcm.service: Main process exited,
code=exited, status=3/NOTIMPLEMENTED
Aug 29 08:36:37 f41sb systemd[1]: sssd-kcm.service: Failed with result
'exit-code'.
Aug 29 08:36:37 f41sb systemd[1]: sssd-kcm.service: Start request repeated too
quickly.
Aug 29 08:36:37 f41sb systemd[1]: sssd-kcm.service: Failed with result
'exit-code'.
Aug 29 08:36:37 f41sb systemd[1]: Failed to start sssd-kcm.service - SSSD
Kerberos Cache Manager.
and
parag@f41sb:~$ sudo systemctl status sssd-kcm.socket
× sssd-kcm.socket - SSSD Kerberos Cache Manager responder socket
Loaded: loaded (/usr/lib/systemd/system/sssd-kcm.socket; enabled; preset:
enabled)
Active: failed (Result: service-start-limit-hit) since Thu 2024-08-29
08:36:37 IST; 2min 39s ago
Duration: 23.535s
Invocation: de4f2f42700f47a3958789b82f7d5070
Triggers: ● sssd-kcm.service
Docs: man:sssd-kcm(8)
Listen: /run/.heim_org.h5l.kcm-socket (Stream)
Aug 29 08:36:14 f41sb systemd[1]: Listening on sssd-kcm.socket - SSSD Kerberos
Cache Manager responder socket.
Aug 29 08:36:37 f41sb systemd[1]: sssd-kcm.socket: Failed with result
'service-start-limit-hit'.
Can someone help to know better how to fix this service failure issue so that I
can start using kinit command?
Reproducible: Always
Steps to Reproduce:
1. Take Fedora 41 bare metal Silverblue system not VM
2. use fedora toolbox
3. in toolbox just run "kinit" or "klist" it fails
Actual Results:
kinit: Connection refused while getting default ccache
Expected Results:
Should run kinit and get a ticket
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2308428
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2299733
Bug ID: 2299733
Summary: logrotate service will fail to start due to improper
permissions on /var/log/sssd directory
Product: Fedora
Version: rawhide
Hardware: x86_64
OS: Linux
Status: NEW
Component: sssd
Keywords: Regression
Severity: high
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: sponix2ipfw(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
I see that the logrotate service has failed to start from within cockpit. In
there it explains that this is due to improper permissions on /var/log/sssd
directory. After a sudo chmod 755 /var/log/sssd I can start the logrotate
service without issues. Pretty sure what I've done to resolve this is take the
permissions from drwxrwxr-x to drwxr-xr-x on this directory.
Reproducible: Always
Steps to Reproduce:
1.Apply system updates that include sssd, have a look at services in cockpit
2.after seeing the logrotate service failed to start using sudo chmod 755
/var/log/sssd
3.clear the error, and start logrotate and it works as it should
Actual Results:
Well, the steps above get logrotate running again. I am not sure how this may
effect the sssd system itself though
Expected Results:
it is expected to see logrotate service running without the need to use sudo
chmod 755 /var/log/sssd
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2299733
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2315854
Bug ID: 2315854
Summary: logrotate configuration is incorrect for non-root
setup
Product: Fedora
Version: 41
OS: Linux
Status: NEW
Component: sssd
Severity: medium
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: abokovoy(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
I installed Fedora 41 server and configured IPA server on it. SSSD uses
sssd:sssd for /var/log/sssd now. Logrotate does not like it:
------------------------
logrotate
error: skipping "/var/log/sssd/sssd_example.test.log" because parent directory
has insecure permissions (It's world writable or writable by group which is not
"root") Set "su" directive in config file to tell logrotate which user/group
should be used for rotation.
-------------------------
SSSD logrotate configuration needs to be updated.
Reproducible: Always
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2315854
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…