Ubuntu
sssd package

Wrong installation path for the sssd Python module

Bug #1979453 reported by Fabien Malfoy
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Sergio Durigan Junior
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]

sssd users who try to invoke the "sssctl analyze" command on Ubuntu Jammy will experience the following error:

/usr/bin/env: ‘python’: No such file or directory

This happens because "sssctl analyze" will call /usr/libexec/sssd/sss_analyze, which uses "#!/usr/bin/env python" as its shebang. This is incorrect, as it should be using "python3" instead.

When this bug is fixed, another one pops up:

Traceback (most recent call last):
  File "/usr/libexec/sssd/sss_analyze", line 3, in <module>
    from sssd import sss_analyze
ModuleNotFoundError: No module named 'sssd'

This bug is happening because sssd-tools currently installs its Python files inside /usr/lib/python3.10/site-packages/sssd/, but the right path to install these files is /usr/lib/python3/dist-packages/sssd.

[ Test Plan ]

$ lxc launch ubuntu-daily:jammy sssd-bug1979453
$ lxc shell sssd-bug1979453
# apt update
# apt install -y sssd sssd-tools
# cat > /etc/sssd/sssd.conf << _EOF_
[sssd]
config_file_version = 2
services = pam
domains = example.com

[pam]

[domain/example.com]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = localhost
krb5_realm = EXAMPLE.COM
_EOF_
# chmod 0600 /etc/sssd/sssd.conf
# sssctl analyze

With the current version of sssd available in Jammy, you should see the error messages listed above (in the "Impact") section. With a fixed sssd, you will see:

# sssctl analyze
usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] COMMANDS ...

Analyzer tool to assist with SSSD log parsing

options:
  -h, --help show this help message and exit
  --source {files,journald}
  --logdir LOGDIR SSSD Log directory to parse log files from

  COMMANDS
    Modules
      request Request tracking

[ Where problems could occur ]

This fix changes the path where sssd's Python files are installed. I believe this is the most problematic part of this SRU: although we doing "the right thing" here, there is always the possibility that someone might have a local script that somehow relies on the Python files to be where they currently are. This would obviously be an unsupported scenario, but nonetheless it could break this person's script. I find it highly unlikely that this will happen, though, because this bug did not exist until very recently ("sssctl analyze" has been introduced only on Jammy).

[ Original Description ]

Context
---------

```
# lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04
```

 Symptoms
----------

The `/usr/libexec/sssd/sss_analyze` tool, invoked through `sssctl analyze`, is broken under Ubuntu 22.04:

```
# sssctl analyze --help
Traceback (most recent call last):
  File "/usr/libexec/sssd/sss_analyze", line 3, in <module>
    from sssd import sss_analyze
ModuleNotFoundError: No module named 'sssd'
Command '/usr/libexec/sssd/sss_analyze' failed with [1]
```

 Cause
-------

The tool is brought by the `sssd-tools` package, which also comes with the expected Python module named `sssd`:

```
# dpkg -S /usr/libexec/sssd/sss_analyze
sssd-tools: /usr/libexec/sssd/sss_analyze
# apt-cache show sssd-tools
Package: sssd-tools
Architecture: amd64
Version: 2.6.3-1ubuntu3
Priority: extra
Section: utils
Source: sssd
Origin: Ubuntu
...
Depends: python3, python3-sss, python3-systemd, sssd-common (= 2.6.3-1ubuntu3), libc6 (>= 2.34), libdhash1 (>= 0.4.0), libldb2 (>= 0.9.21), libpam0g (>= 0.99.7.1), libpopt0 (>= 1.14), libref-array1 (>= 0.4.0), libsss-certmap0 (>= 2.6.3), libtalloc2 (>= 2.0.4~git20101213)
...
Filename: pool/main/s/sssd/sssd-tools_2.6.3-1ubuntu3_amd64.deb
Size: 92454
MD5sum: ed023079efa434dbfefb0a11488be6be
SHA1: 28f44521c11ae93f774b907ef13aaec271f5db77
SHA256: b4954b7ec32bbc21fa77ecc5a68f3ddd682bf4408ad029bfc403367dc7dc657b
SHA512: 693eaa32af1dd9ffbbfc6a553ea9db72e76d9e5d1567da83d9356db21ad462927e4a3c20773f17a914115e89d1e62c66b28d529c52642d7f9f58d8d812113e83
...
# dpkg -L sssd-tools
...
/usr/lib/python3.10/site-packages/sssd
/usr/lib/python3.10/site-packages/sssd/__init__.py
/usr/lib/python3.10/site-packages/sssd/modules
/usr/lib/python3.10/site-packages/sssd/modules/__init__.py
/usr/lib/python3.10/site-packages/sssd/modules/request.py
/usr/lib/python3.10/site-packages/sssd/parser.py
/usr/lib/python3.10/site-packages/sssd/source_files.py
/usr/lib/python3.10/site-packages/sssd/source_journald.py
/usr/lib/python3.10/site-packages/sssd/source_reader.py
/usr/lib/python3.10/site-packages/sssd/sss_analyze.py
...
```

Unfortunately, it gets installed into the `site-packages` subdirectory of `/usr/lib/python3.10`, whereas Python is configured to only search the `dist-packages` subdir:

```
# python
Python 3.10.4 (main, Apr 2 2022, 09:04:19) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> sys.path
['', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/usr/local/lib/python3.10/dist-packages', '/usr/lib/python3/dist-packages']
```

 Solution proposal
-------------------

Ship a new release of the package with the module installed into `dist-packages` instead of `site-packages` under `/usr/lib/python3.10`.

See original description

Related branches

~sergiodj/ubuntu/+source/sssd:bug1934997-auth-error-gpo-jammy
Andreas Hasenack: Approve
git-ubuntu bot: Approve
Canonical Server Reporter: Pending requested
Canonical Server Reporter: Pending requested
Canonical Server Reporter: Pending requested
Canonical Server: Pending requested
Diff: 448 lines (+372/-6)
10 files modified
debian/changelog (+18/-0)
debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch (+169/-0)
debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch (+152/-0)
debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch (+22/-0)
debian/patches/series (+3/-0)
debian/python3-libipa-hbac.install (+1/-1)
debian/python3-libsss-nss-idmap.install (+1/-1)
debian/python3-sss.install (+3/-3)
debian/rules (+2/-0)
debian/sssd-tools.install (+1/-1)
Fabien Malfoy (fmalfoy)
description: updated
Sergio Durigan Junior (sergiodj)
tags: added: server-todo
Changed in sssd (Ubuntu Jammy):
status: New → Confirmed
Changed in sssd (Ubuntu Kinetic):
status: New → Confirmed
Changed in sssd (Ubuntu Jammy):
status: Confirmed → Triaged
Changed in sssd (Ubuntu Kinetic):
status: Confirmed → Triaged
Changed in sssd (Ubuntu Jammy):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Revision history for this message
madigal (osse7) wrote :

 usr.sbin.sssd Caching disabled on Kinetic Mate

    Just getting that warning while upgrading apparmor:

    Reloading AppArmor profiles
    Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
    Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
    Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 60): Caching disabled for: 'usr.sbin.sssd' due to force complain

Sergio Durigan Junior (sergiodj)
description: updated
Sergio Durigan Junior (sergiodj)
description: updated
description: updated
Sergio Durigan Junior (sergiodj)
description: updated
description: updated
Sergio Durigan Junior (sergiodj)
Changed in sssd (Ubuntu Jammy):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.7.2-3ubuntu1

---------------
sssd (2.7.2-3ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - d/control: Drop libgdm-dev Build-Depend on i386.
    - d/control: Don't build sssd-tools on i386, now uninstallable due
      to added python3-{click,systemd} dependencies.

sssd (2.7.2-3) unstable; urgency=medium

  * d/p/fix-shebang-on-sss_analyze.patch: Fix shebang on sss_analyze.

sssd (2.7.2-2) unstable; urgency=medium

  * rules, install: Fix python install directory. (LP: #1979453)

 -- Sergio Durigan Junior <email address hidden> Thu, 23 Jun 2022 14:03:54 -0400

Changed in sssd (Ubuntu Kinetic):
status: Triaged → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Fabien, or anyone else affected,

Accepted sssd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.6.3-1ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Jammy verification

Reproduced the error with the jammy packages:

root@sssd-bug1979453:~# apt-cache policy sssd
sssd:
  Installed: 2.6.3-1ubuntu3
  Candidate: 2.6.3-1ubuntu3
  Version table:
 *** 2.6.3-1ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

root@sssd-bug1979453:~# sssctl analyze
/usr/bin/env: ‘python’: No such file or directory
Command '/usr/libexec/sssd/sss_analyze' failed with [127]

Then I upgrade the package to the one in proposed:
root@sssd-bug1979453:~# apt-cache policy sssd
sssd:
  Installed: 2.6.3-1ubuntu3.1
  Candidate: 2.6.3-1ubuntu3.1
  Version table:
 *** 2.6.3-1ubuntu3.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages

And the error is gone and I get the expected help page:
root@sssd-bug1979453:~# sssctl analyze
usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] COMMANDS ...

Analyzer tool to assist with SSSD log parsing

options:
  -h, --help show this help message and exit
  --source {files,journald}
  --logdir LOGDIR SSSD Log directory to parse log files from

  COMMANDS
    Modules
      request Request tracking

Jammy verification succeeded.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.6.3-1ubuntu3.1

---------------
sssd (2.6.3-1ubuntu3.1) jammy; urgency=medium

  * d/p/lp1934997-authentication-fails-gpo-non-existent.patch:
    Fix authentication failure when GPO is enabled and
    SecEdit/GptTmpl.inf is missing (LP: #1934997).
  * d/p/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch:
    Ignore non-ASCII characters in GPT.INI. (LP: #1979350)
  * Fix "sssctl analyze" (LP: #1979453)
    [ Timo Aaltonen ]
    - d/{python3-libipa-hbac.install,python3-sss.install,
      sssd-tools.install,rules}: Fix Python installation directory
      path.
    [ Sergio Durigan Junior ]
    - d/p/lp1979453-fix-shebang-on-sss_analyze.patch: Fix shebang on
      sss_analyze.

 -- Sergio Durigan Junior <email address hidden> Wed, 22 Jun 2022 12:31:22 -0400

Changed in sssd (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.