Ubuntu
sssd package

[regression] sssd won't start if autofs is not installed

Bug #1695870 reported by Stephane Chazelas
104
This bug affects 19 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Critical
Victor Tapia
Xenial
Fix Released
Medium
Victor Tapia

Bug Description

[Impact]

 * On Trusty, SSSD does not start when AutoFS is not installed because the AutoFS "starting" signal is not emitted.
 * This only affects the upstart service (Trusty). Systemd services work fine.

[Test Case]

 * Install SSSD in a machine without AutoFS and reboot.
 * The service won't start on boot, even though it can be started manually.

[Regression Potential]

 * None expected, but if one is found it will only impact the startup of SSSD at boot

[Original Description]

* The Xenial regression has been first reported via LP: #1700084 and then we marked it a duplicate and decided to continue the SRU via this bug (being the original one) for the SRU to be less confusing.

The fix for LP# 1566508 (in Ubuntu 14.04 at least) introduces a regression that prevents sssd from starting if the autofs package is not installed.

The /etc/init/sssd.conf script now has:

```
start on (filesystem and net-device-up and starting autofs)
```

The "starting autofs" will never happen if autofs is not installed.

That's critical in that that prevents authentication after the next boot after "sssd" has been upgraded.

The work around for now is to remove that "and starting autofs" or install the autofs package.

```
$ apt-cache policy sssd
sssd:
  Installed: 1.11.8-0ubuntu0.6
  Candidate: 1.11.8-0ubuntu0.6
  Version table:
 *** 1.11.8-0ubuntu0.6 0
        500 http://gb.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.11.5-1ubuntu3 0
        500 http://gb.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
```

See original description
Stephane Chazelas (stephane-chazelas)
tags: added: regression-update
Victor Tapia (vtapia)
Changed in sssd (Ubuntu):
assignee: nobody → Victor Tapia (vtapia)
tags: added: sts
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Eric Desrochers (slashd)
Changed in sssd (Ubuntu Trusty):
assignee: nobody → Victor Tapia (vtapia)
importance: Undecided → Medium
status: New → In Progress
tags: added: sts-sru-needed
Eric Desrochers (slashd)
Changed in sssd (Ubuntu):
assignee: Victor Tapia (vtapia) → nobody
Victor Tapia (vtapia)
description: updated
Revision history for this message
Victor Tapia (vtapia) wrote :
description: updated
Eric Desrochers (slashd)
tags: added: sts-sru-done
removed: sts-sru-needed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "trusty-sssd_1.11.8-0ubuntu0.7.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Eric Desrochers (slashd)
tags: removed: patch
Revision history for this message
Vincent van Adrighem (adrighem) wrote :

Can the importance be increased on this one? Central authentication failing on systems using this package (the impact of this bug) might be a bit more important than medium.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

A fix has been uploaded to trusty-proposed, so please test it and change the tag to 'verification-done' if it works.

tags: added: verification-needed
Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

I have just tested the package (1.11.8-0ubuntu0.7) on Trusty and I confirm that it fixes the issue: sssd starts correctly without autofs installed.

Revision history for this message
Victor Tapia (vtapia) wrote :
Download full text (4.0 KiB)

#VERIFICATION FOR LP#1695870

- Version of the package: 1.11.8-0ubuntu0.7

ubuntu@sssd-trusty:~$ dpkg -l | grep -i sssd
ii libsss-idmap0 1.11.8-0ubuntu0.7 amd64 ID mapping library for SSSD
ii sssd 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- proxy back end

- After installing sssd from -proposed in a machine without autofs, sssd starts automatically after a reboot:

ubuntu@sssd-trusty:~$
Broadcast message from ubuntu@sssd-trusty
 (/dev/pts/0) at 10:05 ...

The system is going down for reboot NOW!

...

# confirmation of autofs not installed:
ubuntu@sssd-trusty:~$ dpkg -l | grep -i autofs
ubuntu@sssd-trusty:~$ ls /etc/init/aut*
ls: cannot access /etc/init/aut*: No such file or directory
ubuntu@sssd-trusty:~$ ls /etc/init.d/aut*
ls: cannot access /etc/init.d/aut*: No such file or directory

ubuntu@sssd-trusty:~$ status sssd
sssd start/running, process 943
ubuntu@sssd-trusty:~$ ps -ef | grep sss
root 943 1 0 10:05 ? 00:00:00 sssd -i -f
root 1045 943 0 10:05 ? 00:00:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain openstacklocal --debug-to-files
root 1070 943 0 10:05 ? 00:00:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --debug-to-files
root 1071 943 0 10:05 ? 00:00:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --debug-to-files
ubuntu 1244 1218 0 10:06 pts/0 00:00:00 grep --color=auto sss

- And from /var/log/syslog:
...
Jun 6 10:05:38 sssd-trusty kernel: [ 1.212080] usb 1-1: new full-speed USB device number 2 using uhci_hcd
Jun 6 10:05:38 sssd-trusty kernel: [ 1.377041] usb 1-1: New USB device found, idVendor=0627, idProduct=0001
Jun 6 10:05:38 sssd-trusty kernel: [ 1.378846] usb 1-1: New USB device strings: Mfr=1, Product=3, SerialNumber=5
Jun 6 10:05:38 sssd-trusty kernel: [ 1.380419] usb 1-1: Product: QEMU USB Tablet
Jun 6 10:05:38 sssd-trusty kernel: [ 1.381515] usb 1-1: Manufacturer: QEMU
J...

Read more...

tags: added: verification-done
removed: verification-needed
Eric Desrochers (slashd)
Changed in sssd (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Simon Major (simon-major) wrote :

Proposed worked for me too on one of my impacted systems.

Before reboot:

sudo vi /etc/apt/sources.list ; sudo vi /etc/apt/preferences.d/proposed-updates ; sudo apt-get update ; sudo apt-get --only-upgrade install sssd/trusty-proposed libsss-sudo/trusty-proposed

After reboot:

uptime ; dpkg -l | grep -E 'sss|autofs'

Revision history for this message
Graham Leggett (minfrin-y) wrote :

This bug just knocked out all of our development environments, how long before a fix will be downloadable as an update?

Maxime Besson (mabes)
Changed in sssd (Ubuntu Trusty):
status: Fix Committed → Invalid
status: Invalid → Fix Committed
Revision history for this message
Eric Desrochers (slashd) wrote :

@Graham Leggett (minfrin-y)

The SRU team will evaluate the testing feedback and they will move the package into -updates after it has passed a minimum aging period of 7 days.

As of today, we are at day 1 :

Package -release -updates -proposed (signer, creator) changelog bugs days
sssd 1.11.5-1ubuntu3 1.11.8-0ubuntu0.6 1.11.8-0ubuntu0.7 (slashd, vtapia) 1566508 1695870 1

Reference:
https://people.canonical.com/~ubuntu-archive/pending-sru.html

- Eric

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Moving to Critical as this fully breaks the purpose of SSSD.

Changed in sssd (Ubuntu Trusty):
importance: Medium → Critical
Revision history for this message
Mike Fry (mikefrygm) wrote :

Forgive me, I am a newbie. How do I apply the proposed patch?

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

The easiest/recommended way is to follow https://wiki.ubuntu.com/Testing/EnableProposed for enabling -proposed.

The package was also built and is available at https://launchpad.net/ubuntu/+source/sssd/1.11.8-0ubuntu0.7. You could use that to do a manual install.

Please if you post a comment saying it worked mention (or didn't) which method you used and report the version of sssd you have installed (something like dpkg -l | grep sss I think should capture all sss libs and sssd).

Thanks to all who test!

Revision history for this message
Mike Fry (mikefrygm) wrote :

Our tests on two computers are working. Our process:
1. enable apt.conf to get through proxy
2. update sources.list with https://wiki.ubuntu.com/Testing/EnableProposed for enabling -proposed.
3. apt-get upgrade -s sssd
4. rerun our AD integration script
5. reboot

We will be testing this process on a few more computers as we can get our hands on them.

Revision history for this message
Eric Desrochers (slashd) wrote :

== Trusty Verification ==

[Before the patch]

# dpkg
ii libsss-idmap0 1.11.8-0ubuntu0.6 amd64 ID mapping library for SSSD
ii sssd 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- proxy back end

# Reboot

# service sssd status
sssd stop/waiting

It does start manually but not at boot time

---

[After the patch (trusty-proposed)]
# dpkg
ii libsss-idmap0 1.11.8-0ubuntu0.7 amd64 ID mapping library for SSSD
ii sssd 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.11.8-0ubuntu0.7 amd64 System Security Services Daemon -- proxy back end

# Reboot

# service sssd status
sssd start/running, process 669

It does start manually and at boot time, as expected.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.11.8-0ubuntu0.7

---------------
sssd (1.11.8-0ubuntu0.7) trusty; urgency=medium

  * Fix regression where SSSD doesn't start on boot if autofs is not
    installed (LP: #1695870):
    - rules: Support new service
    - sssd-common.sssd-autofs.upstart.in: Restart autofs to read direct mounts
    after SSSD and autofs have started (only on startup). This keeps the fix
    for the autofs and SSSD race condition (LP: #1566508)
    - sssd-common.sssd.upstart.in: Remove "starting autofs" to allow SSSD to
    start without autofs.

 -- Victor Tapia <email address hidden> Mon, 05 Jun 2017 12:41:12 +0200

Changed in sssd (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Amr Ibrahim (amribrahim1987)
Changed in sssd (Ubuntu):
status: Confirmed → Fix Released
Eric Desrochers (slashd)
Changed in sssd (Ubuntu Xenial):
assignee: nobody → Victor Tapia (vtapia)
importance: Undecided → Medium
status: New → Confirmed
status: Confirmed → In Progress
Revision history for this message
Victor Tapia (vtapia) wrote :
Revision history for this message
Eric Desrochers (slashd) wrote :

Uploaded into Xenial upload queue. Now waiting for SRU team approval to start building in xenial-proposed.

- Eric

tags: added: verification-done-trusty
removed: verification-done
tags: added: sts-sru-needed
removed: sts-sru-done
Eric Desrochers (slashd)
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

I have accepted the xenial version (1.13.4-1ubuntu1.6) of this upload just now. The usual tool for doing reviews has exploded so the usual SRU-notification wasn't sent out - reason for that was that the changelog mentioned an already Fix Released bug as being fixed by this release here (LP: #1566508). I expected this to be just a no-op, but I guess I should have requested a re-upload without it being mentioned instead... Now it's too late.

Anyway, please test the sssd package in xenial-proposed and mark the bug as verification-done-xenial if the bug is fixed (or verification-failed-xenial if the verification failed).

Thank you!

tags: added: verification-done-xenial
Changed in sssd (Ubuntu Xenial):
status: In Progress → Fix Committed
Revision history for this message
Victor Tapia (vtapia) wrote :
Download full text (3.6 KiB)

#VERIFICATION FOR XENIAL+Upstart (LP#1695870)

- Version of the package: 1.13.4-1ubuntu1.6

ubuntu@xenial-upstart:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.6 amd64 System Security Services Daemon -- proxy back end

- After installing sssd from -proposed in a machine without autofs, sssd starts automatically after a reboot:

# confirmation of autofs not installed:
ubuntu@xenial-upstart:~$ dpkg -l | grep -i autofs
ubuntu@xenial-upstart:~$ ls /etc/init/aut*
ls: cannot access /etc/init/aut*: No such file or directory
ubuntu@xenial-upstart:~$ ls /etc/init.d/aut*
ls: cannot access /etc/init.d/aut*: No such file or directory

ubuntu@xenial-upstart:~$
Broadcast message from ubuntu@xenial-upstart
        (/dev/pts/0) at 11:03 ...

The system is going down for reboot NOW!

...

Last login: Wed Jul 12 11:02:45 2017 from 10.5.1.55
ubuntu@xenial-upstart:~$ status sssd
sssd start/running, process 1109

ubuntu@xenial-upstart:~$ ps -ef | grep sss
root 1109 1 0 11:03 ? 00:00:00 sssd -D -f
root 1126 1109 0 11:03 ? 00:00:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain openstacklocal --uid 0 --gid 0 --debug-to-files
root 1164 1109 0 11:03 ? 00:00:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
root 1165 1109 0 11:03 ? 00:00:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
root 1166 1109 0 11:03 ? 00:00:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_autofs --uid 0 --gid 0 --debug-to-files
ubuntu 1546 1530 0 11:05 pts/0 00:00:00 grep --color=auto sss

- And from /var/log/syslog:

...
Jul 12 11:03:39 xenial-upstart kernel: [ 9.028635] audit: type=1400 audit(1499857419.712:11): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/sbin/dhclient" pid=950 comm="apparmor_parser"
Jul 12 11:03:39 xenial-upstart dbus[953]: [system] AppArmor D-Bus mediation is enabled
Jul 12 11:03:39 xenial-upstart pollinate[892]: sys...

Read more...

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.6

---------------
sssd (1.13.4-1ubuntu1.6) xenial; urgency=medium

  * Fix regression where SSSD doesn't start on boot if autofs is not
    installed (LP: #1695870):
    - rules: Support new service
    - sssd-common.sssd-autofs.upstart.in: Restart autofs to read direct mounts
    after SSSD and autofs have started (only on startup). This keeps the fix
    for the autofs and SSSD race condition (LP: #1566508)
    - sssd-common.sssd.upstart.in: Remove "starting autofs" to allow SSSD to
    start without autofs.

 -- Victor Tapia <email address hidden> Mon, 05 Jun 2017 12:41:12 +0200

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.