[Pkg-sssd-devel] Bug#965143: sssd: SSSD 2.3 won't let log in or use sudo

Sam Morris sam at robots.org.uk
Thu Jul 16 19:12:41 BST 2020 

Package: sssd
Version: 2.3.0-2
Severity: grave
Justification: renders package unusable

This locks me out of my systems.

    $ sudo -l
    [sudo] password for sam.morris at ad.domain.example: 
    Sorry, try again.
    [sudo] password for sam.morris at ad.domain.example: 
    Sorry, try again.
    [sudo] password for sam.morris at ad.domain.example: 
    sudo: 3 incorrect password attempts

Each authentication attempt logs the following in sssd_pam.log:

    (2020-07-16 18:08:38): [pam] [sysdb_search_user_by_upn_res] (0x0040): Search for upn [sam.morris at ad.domain.example] returns more than one result. One of the possible reasons can be that several users share the same email address.
    (2020-07-16 18:08:38): [pam] [sysdb_search_user_by_upn] (0x0040): Error: 22 (Invalid argument)
    (2020-07-16 18:08:38): [pam] [sysdb_initgroups_by_upn] (0x0040): sysdb_search_user_by_upn() failed.
    (2020-07-16 18:08:38): [pam] [cache_req_search_cache] (0x0020): CR #12: Unable to lookup [sam.morris at ad.domain.example] in cache [22]: Invalid argument
    (2020-07-16 18:08:38): [pam] [pam_check_user_search_next] (0x0020): Fatal error, killing connection!

My user exists in an Active Directory domain that has a one-way trust
established via FreeIPA.

We do indeed have several users with the same email address. That's
(until now) been a perfectly valid setup (one human has several accounts
for performing different roles and they all have the same email
address).

Downgrading to 2.2.3-3 fixes the problem. It's necessary to remove the
sssd database after downgrading.

I've had a quick scan of the commits between 2.2.3 and 2.3.0 and
nothing's jumped out at me yet. I'll take another look later...

-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages sssd depends on:
ii  python3-sss  2.3.0-2
ii  sssd-ad      2.3.0-2
ii  sssd-common  2.3.0-2
ii  sssd-ipa     2.3.0-2
ii  sssd-krb5    2.3.0-2
ii  sssd-ldap    2.3.0-2
ii  sssd-proxy   2.3.0-2

sssd recommends no packages.

sssd suggests no packages.

-- no debconf information

More information about the Pkg-sssd-devel mailing list