stable

sssd-2.10.1-1.fc41

FEDORA-2024-5afdb12065 created by pbrezina 3 months ago for Fedora 41

Rebase to the lastest upstream release:

See release notes here:

https://sssd.io/release-notes/sssd-2.10.1.html

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-5afdb12065

This update has been submitted for testing by pbrezina.

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'failed'.

3 months ago
User Icon adamwill commented & provided feedback 3 months ago
karma

This is some kind of real failure, but I'm on PTO today and don't have time to look into it in detail right now. Will look later.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

3 months ago

I'm not familiar with those tests, but clicking around:

(2024-12-10 11:35:37): [be[test.openqa.fedoraproject.org]] [selinux_child_done] (0x0020): [RID#8] Error in selinux_child: [1][Operation not permitted]

at least some of those tests are due to https://github.com/fedora-selinux/selinux-policy/issues/2455

Some looks like infra failure?

(12:36:28): [be_resolve_server_process] (0x0200): Found address for server ipa001.test.openqa.fedoraproject.org: [172.16.2.100] TTL 1109
(12:36:28): [sssd_async_socket_init_send] (0x4000): Using file descriptor [22] for the connection.
(12:36:28): [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout [ldap_network_timeout] for connecting
(12:36:34): [sssd_async_connect_timeout] (0x0100): The connection timed out [ldap_network_timeout]
(12:36:34): [sssd_async_socket_init_done] (0x0040): sdap_async_sys_connect request failed: [110]: Connection timed out [ldap_network_timeout].

This update has been pushed to testing.

3 months ago

Works (not giving +1 because of test failures).

I'm not sure whether I'm imagining things here, but it seems that downgrading to previous version of sssd breaks things. Apparently, something about permissions of the ini file not being right. This causes sssd and its minions like kcm to fail when starting, which then promptly breaks user DB (in my case LDAP/krb5).

Stuff like this on downgrade:

Dec 11 16:09:55 systemd[1]: Starting sssd.service - System Security Services Daemon...
Dec 11 16:09:56 sssd[906]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Dec 11 16:09:56 sssd[906]: Can't read config: 'File ownership and permissions check failed'
Dec 11 16:09:56 systemd[1]: sssd.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Dec 11 16:09:56 systemd[1]: sssd.service: Failed with result 'exit-code'.
Dec 11 16:09:56 systemd[1]: Failed to start sssd.service - System Security Services Daemon.

The openQA test is not designed to do any kind of downgrade (and only would if the package versions were incorrect somehow). See https://bodhi.fedoraproject.org/updates/FEDORA-2024-61dea2e6ce#comment-3863847 for what I found, looking around the logs in the failure on the Rawhide update.

@atikhonov there is no "infra" to speak of here, ipa001.test.openqa.fedoraproject.org is not really part of fedora infra, it is just another job in the openQA cluster. if communication to it weren't working, the test would've failed earlier in different ways, most likely (enrolling the client would not have worked at all).

Thanks @adamwill. The downgrade was something I did locally (by accident, to be honest). Maybe the config file had 0600 before and is now 0640, which upsets the previous version.

in upgrade_realmd_client I can see time desync between the client and the server:

   *  (2024-12-10 13:06:32): [krb5_child[2211]] [check_fast_ccache] (0x0200): [RID#58] FAST TGT is still valid.
...
   *  (2024-12-10 13:06:32): [krb5_child[2211]] [tgt_req_child] (0x1000): [RID#58] Attempting to get a TGT
   *  (2024-12-10 13:06:32): [krb5_child[2211]] [get_and_save_tgt] (0x0400): [RID#58] Attempting kinit for realm [TEST.OPENQA.FEDORAPROJECT.ORG]
   *  (2024-12-10 13:06:32): [krb5_child[2211]] [get_and_save_tgt] (0x0020): [RID#58] 2352: [-1765328351][Error constructing AP-REQ armor: Ticket not yet valid]

Maybe the config file had 0600 before and is now 0640, which upsets the previous version.

Right: https://github.com/SSSD/sssd/commit/8472777ec472607ea450ddb4c4666017bd0de704

https://github.com/fedora-selinux/selinux-policy/pull/2469 was merged upstream and should be included in Fedora soon.

User Icon filiperosset commented & provided feedback 3 months ago
karma

ok

This update has been unpushed.

I'm unpushing the changes. Once SELinux policy is fixed we'll try again. Thank you everybody for the feedback.

@pbrezina, you may want to include a scriptlet that reverts ini file permissions to 0600 on downgrade below 2.10.1 to avoid breaking existing machines.

@pbrezina, looks like SELinux policy update has been queued. Didn't check whether it includes a fix for sssd.

looks like SELinux policy update has been queued. Didn't check whether it includes a fix for sssd.

It does contain fix for SSSD. We'll re-push the build once selinux policy update in the compose.

Hi @bojan,

Thank you for the heads-up. Once the SELinux policy update is stabilized I'll take care of pushing back this build for testing.

This update has been submitted for testing by ipedrosa.

3 months ago

I still think that this package should revert permissions of sssd.conf to 0600 on downgrade to a version below itself. Without that, it can break authentication for anyone rolling back a set of updates. Think about doing something like that at scale. It could render a whole fleet of machines inaccessible.

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'failed'.

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update has been pushed to testing.

3 months ago

This update's test gating status has been changed to 'passed'.

3 months ago
karma
User Icon bojan provided feedback 3 months ago
karma

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'passed'.

3 months ago
User Icon besser82 commented & provided feedback 3 months ago
karma

Works great! LGTM! =)

This update can be pushed to stable now if the maintainer wishes

3 months ago

This update has been submitted for stable by atikhonov.

3 months ago

This update has been pushed to stable.

3 months ago

Please login to add feedback.

Metadata
Type
unspecified
Karma
2
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
3 months ago
in testing
3 months ago
in stable
3 months ago
approved
3 months ago

Automated Test Results