[Bug 2264610] New: FTBFS: sssd intermediate CA tests fail with OpenSSL 3.2
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2264610
Bug ID: 2264610
Summary: FTBFS: sssd intermediate CA tests fail with OpenSSL
3.2
Product: Fedora
Version: rawhide
OS: Linux
Status: NEW
Component: sssd
Severity: medium
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: sgallagh(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
$ /usr/bin/make -C src/tests/test_CA/intermediate_CA ca_all
make: Entering directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA'
test -z "index.txt index.txt.attr index.txt.attr.old index.txt.old
SSSD_test_intermediate_CA.pem SSSD_test_intermediate_CA_req.pem
SSSD_test_intermediate_CA_full_db.pem SSSD_test_CA.pem pwdfile
SSSD_test_intermediate_CA_cert_x509_0001.pem
SSSD_test_intermediate_CA_cert_x509_0001.h
SSSD_test_intermediate_CA_cert_pubsshkey_0001.pub
SSSD_test_intermediate_CA_cert_pubsshkey_0001.h
SSSD_test_intermediate_CA_cert_pkcs12_0001.pem softhsm2_*.conf " || rm -f
index.txt index.txt.attr index.txt.attr.old index.txt.old
SSSD_test_intermediate_CA.pem SSSD_test_intermediate_CA_req.pem
SSSD_test_intermediate_CA_full_db.pem SSSD_test_CA.pem pwdfile
SSSD_test_intermediate_CA_cert_x509_0001.pem
SSSD_test_intermediate_CA_cert_x509_0001.h
SSSD_test_intermediate_CA_cert_pubsshkey_0001.pub
SSSD_test_intermediate_CA_cert_pubsshkey_0001.h
SSSD_test_intermediate_CA_cert_pkcs12_0001.pem softhsm2_*.conf
rm -rf .libs _libs
rm -rf newcerts
rm -rf softhsm*
rm -rf serial*
rm -f *.lo
/usr/bin/make -C ./.. SSSD_test_CA.pem
make[1]: Entering directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA'
/usr/bin/openssl req -batch -config ./SSSD_test_CA.config -x509 -new -nodes
-key SSSD_test_CA_key.pem -sha256 -days 1024 -set_serial 0 -extensions v3_ca
-out SSSD_test_CA.pem
make[1]: Leaving directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA'
ln -s ./../SSSD_test_CA.pem
/usr/bin/openssl req -batch -config ./SSSD_test_intermediate_CA.config -new
-nodes -key
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
-sha256 -out SSSD_test_intermediate_CA_req.pem
cd .. && /usr/bin/openssl ca -config
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/../SSSD_test_CA.config
-batch -notext -keyfile
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/../SSSD_test_CA_key.pem
-in
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_req.pem
-days 200 -extensions v3_intermediate_ca -out
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.pem
Using configuration from
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/../SSSD_test_CA.config
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /O=SSSD/OU=SSSD test/CN=SSSD test
intermediate CA
The matching entry has the following details
Type :Valid
Expires on :240903175906Z
Serial Number :08
File name :unknown
Subject Name :/O=SSSD/OU=SSSD test/CN=SSSD test intermediate CA
make: *** [Makefile:756: SSSD_test_intermediate_CA.pem] Error 1
make: Leaving directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA'
Reproducible: Always
Steps to Reproduce:
1.Build SSSD and run the intermediate CA tests
2.
3.
Actual Results:
$ /usr/bin/make -C src/tests/test_CA/intermediate_CA ca_all
make: Entering directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA'
test -z "index.txt index.txt.attr index.txt.attr.old index.txt.old
SSSD_test_intermediate_CA.pem SSSD_test_intermediate_CA_req.pem
SSSD_test_intermediate_CA_full_db.pem SSSD_test_CA.pem pwdfile
SSSD_test_intermediate_CA_cert_x509_0001.pem
SSSD_test_intermediate_CA_cert_x509_0001.h
SSSD_test_intermediate_CA_cert_pubsshkey_0001.pub
SSSD_test_intermediate_CA_cert_pubsshkey_0001.h
SSSD_test_intermediate_CA_cert_pkcs12_0001.pem softhsm2_*.conf " || rm -f
index.txt index.txt.attr index.txt.attr.old index.txt.old
SSSD_test_intermediate_CA.pem SSSD_test_intermediate_CA_req.pem
SSSD_test_intermediate_CA_full_db.pem SSSD_test_CA.pem pwdfile
SSSD_test_intermediate_CA_cert_x509_0001.pem
SSSD_test_intermediate_CA_cert_x509_0001.h
SSSD_test_intermediate_CA_cert_pubsshkey_0001.pub
SSSD_test_intermediate_CA_cert_pubsshkey_0001.h
SSSD_test_intermediate_CA_cert_pkcs12_0001.pem softhsm2_*.conf
rm -rf .libs _libs
rm -rf newcerts
rm -rf softhsm*
rm -rf serial*
rm -f *.lo
/usr/bin/make -C ./.. SSSD_test_CA.pem
make[1]: Entering directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA'
/usr/bin/openssl req -batch -config ./SSSD_test_CA.config -x509 -new -nodes
-key SSSD_test_CA_key.pem -sha256 -days 1024 -set_serial 0 -extensions v3_ca
-out SSSD_test_CA.pem
make[1]: Leaving directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA'
ln -s ./../SSSD_test_CA.pem
/usr/bin/openssl req -batch -config ./SSSD_test_intermediate_CA.config -new
-nodes -key
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
-sha256 -out SSSD_test_intermediate_CA_req.pem
cd .. && /usr/bin/openssl ca -config
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/../SSSD_test_CA.config
-batch -notext -keyfile
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/../SSSD_test_CA_key.pem
-in
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_req.pem
-days 200 -extensions v3_intermediate_ca -out
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.pem
Using configuration from
/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA/../SSSD_test_CA.config
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /O=SSSD/OU=SSSD test/CN=SSSD test
intermediate CA
The matching entry has the following details
Type :Valid
Expires on :240903175906Z
Serial Number :08
File name :unknown
Subject Name :/O=SSSD/OU=SSSD test/CN=SSSD test intermediate CA
make: *** [Makefile:756: SSSD_test_intermediate_CA.pem] Error 1
make: Leaving directory
'/home/sgallagh/localworkspace/sssd/src/tests/test_CA/intermediate_CA'
Expected Results:
Successful test run.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2264610
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-...
3 weeks, 2 days
[Bug 2260445] New: how to set up proxy provider for local smart card authentication?
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2260445
Bug ID: 2260445
Summary: how to set up proxy provider for local smart card
authentication?
Product: Fedora
Version: rawhide
URL: https://artifacts.dev.testing-farm.io/64496df8-0c7b-44
54-9349-dc22f69f4a24/
OS: Linux
Status: NEW
Component: sssd
Keywords: Regression
Severity: high
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: mpitt(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
The recent sssd-2.9.4-3.fc40.x86_64 rawhide update [1] disabled the "files"
provider [2]. The Fedora changes page [3] promised "some document on sssd.io"
that explains the migration, but I didn't find anything. We are using this to
test cockpit smartcard authentication [4] with certmap (we also have a full
FreeIPA integration test case, but that can't run on Testing Farm for distro
gating), which now stopped working:
---------------- 8< -----------------
[sssd]
domains = local
[domain/local]
id_provider = files
[certmap/local/alice]
# Requires sssd >= 2.6.1 and installing sssd_auth_ca_db.pem; with earlier sssd
this is completely unsafe
matchrule = <SUBJECT>^DC=LAN,DC=COCKPIT,CN=alice$
---------------- 8< -----------------
I checked various resources [5][6][7][8], but they provide either very little,
or contradicting information (id_provider vs. auth_provider, etc.). I tried
with
[domain/local]
id_provider = proxy
auth_provider = proxy
proxy_lib_name = files
and various combinations, but in all cases sssd.service fails to start up:
Jan 26 09:22:48 fedora-rawhide-127-0-0-2-2201 sssd_be[5357]: Starting up
Jan 26 09:22:48 fedora-rawhide-127-0-0-2-2201 sssd[5353]: Exiting the SSSD.
Could not restart critical service [local].
and /var/log/sssd/sssd_local.log essentially says
Unable to load target [id] [80]: Accessing a corrupted shared library.
I attach the full log for reference.
[1] https://bodhi.fedoraproject.org/updates/FEDORA-2024-6d3f839766
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2253183
[3] https://fedoraproject.org/wiki/Changes/SSSDRemoveFilesProvider
[4]
https://github.com/cockpit-project/cockpit/blob/4021b8a60237076bdde01183a...
[5]
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/...
[6] https://github.com/SSSD/sssd/releases/tag/2.9.0
[7] https://sssd.io/release-notes/sssd-2.9.3.html
[8] https://manpages.ubuntu.com/manpages/jammy/en/man5/sssd.conf.5.html
Reproducible: Always
Steps to Reproduce:
see above
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2260445
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-...
2 months, 2 weeks
[Bug 2247777] New: SSSD will not boot up after restart
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2247777
Bug ID: 2247777
Summary: SSSD will not boot up after restart
Product: Fedora
Version: 38
Hardware: x86_64
URL: https://github.com/Scribery/cockpit-session-recording/
issues/157
OS: Linux
Status: NEW
Component: sssd
Severity: medium
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: lzap(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
lslebodn(a)redhat.com, luk.claes(a)gmail.com,
mzidek(a)redhat.com, pbrezina(a)redhat.com,
sbose(a)redhat.com, ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
I installed a fresh Fedora 38, installed Session Recording in Cockpit, enabled
All recording and SSSD does not start anymore. The error is: Condition
ConditionPathExists=/etc/sssd/sssd.conf was not met. I think previously it was
booting up properly.
I reported to Cockpit guys via Slack, I was told to create a bug for the
Session Recording plugin so I did:
https://github.com/Scribery/cockpit-session-recording/issues/157
It looks like this might be a bug in the systemd unit file:
"The SSSD unit file should also have
ConditionDirectoryNotEmpty=|/etc/sssd/conf.d/"
So leaving a bugreport for you guys.
Reproducible: Always
Steps to Reproduce:
1. Enable Session Recording via plugin as described
2. Sssd will not start anymore
3.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2247777
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-...
2 months, 3 weeks