[Bug 1131686] New: openSUSE-2019-1163 security update for ldb break sssd
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 Bug ID: 1131686 Summary: openSUSE-2019-1163 security update for ldb break sssd Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: 64bit OS: Other Status: NEW Severity: Critical Priority: P5 - None Component: Samba Assignee: samba-maintainers@SuSE.de Reporter: pellice@gmail.com QA Contact: samba-maintainers@SuSE.de Found By: --- Blocker: --- After I applied the openSUSE-2019-1163 security update for ldb sssd service crash at startup: sssd[15186]:ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.4 module_version=1.2.3 sssd[15186]: ldb: failed to initialise module /usr/lib64/ldb/samba/acl.so : Unavailable sssd[15186]: ldb: failed to initialise module /usr/lib64/ldb/samba : Unavailable sssd: SSSD couldn't load the configuration database [5]: Input/output error. I reverted it to previous version as a temporary workaround: zypper in --oldpackage libldb1-1.2.3-lp150.2.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c1 Daniel Bischof <dbischof@hrz.uni-kassel.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dbischof@hrz.uni-kassel.de --- Comment #1 from Daniel Bischof <dbischof@hrz.uni-kassel.de> --- Same here. This is a serious issue for me, since all my users are on IPA and without sssd, nobody is able to log in to their workstations. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c2 Noel Power <nopower@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nopower@suse.com --- Comment #2 from Noel Power <nopower@suse.com> --- where did the update come from ? is this really Leap.15 ? This only ldb I see in updates is https://build.opensuse.org/package/show/openSUSE:Leap:15.0:Update/ldb which is libldb1-1.2.3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c3 --- Comment #3 from alexis Pellicier <pellice@gmail.com> --- Yes it comes from opensuse official repo: zypper lr -u # | Alias | Name | Enabled | GPG Check | Refresh | URI 1 | NON-OSS | NON-OSS | Yes | (r ) Yes | No | http://download.opensuse.org/distribution/leap/15.0/repo/non-oss/ 2 | OSS | OSS | Yes | (r ) Yes | No | http://download.opensuse.org/distribution/leap/15.0/repo/oss/ 3 | UPDATES-NON-OSS | UPDATES-NON-OSS | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.0/non-oss 4 | UPDATES-OSS | UPDATES-OSS | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.0/oss zypper if libldb1 Loading repository data... Reading installed packages... Information for package libldb1: -------------------------------- Repository : UPDATES-OSS Name : libldb1 Version : 1.2.3-lp150.7.2 Arch : x86_64 Vendor : openSUSE Installed Size : 343.2 KiB Installed : Yes Status : out-of-date (version 1.2.3-lp150.2.3.1 installed) Source package : ldb-1.2.3-lp150.7.2.src Summary : An LDAP-like embedded database Description : LDB is an LDAP-like embedded database. This package includes the ldb1 library. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c4 Wolfgang Bauer <wbauer@tmo.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wbauer@tmo.at --- Comment #4 from Wolfgang Bauer <wbauer@tmo.at> --- Looks like it's actually 1.2.4 though: wolfi@linux-lf90:~> rpm -ql libldb1 /usr/lib64/ldb /usr/lib64/ldb/asq.so /usr/lib64/ldb/paged_results.so /usr/lib64/ldb/paged_searches.so /usr/lib64/ldb/rdn_name.so /usr/lib64/ldb/sample.so /usr/lib64/ldb/server_sort.so /usr/lib64/ldb/skel.so /usr/lib64/ldb/tdb.so /usr/lib64/libldb.so.1 /usr/lib64/libldb.so.1.2.4 wolfi@linux-lf90:~> rpm -q libldb1 libldb1-1.2.3-lp150.7.2.x86_64 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c9 Jean-François Juneau <jfjuneau@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfjuneau@gmail.com --- Comment #9 from Jean-François Juneau <jfjuneau@gmail.com> --- Same here, could not log in to the Active Directory domain from my openSUSE Leap 15 laptop this morning because the SSSD service was unable to start (reverting libldb1 to 1.2.3-lp150.2.3.1 fixes the issue): 2019-04-06T09:49:44.913043-04:00 lnxjfjuneau sssd[1235]: ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.4 module_version=1.2.3 2019-04-06T09:49:44.913378-04:00 lnxjfjuneau sssd[1235]: ldb: failed to initialise module /usr/lib64/ldb/samba/acl.so : Unavailable 2019-04-06T09:49:44.916528-04:00 lnxjfjuneau sssd[1235]: ldb: failed to initialise module /usr/lib64/ldb/samba : Unavailable 2019-04-06T09:49:44.918134-04:00 lnxjfjuneau sssd: SSSD couldn't load the configuration database [5]: Input/output error. 2019-04-06T09:49:45.049363-04:00 lnxjfjuneau systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION 2019-04-06T09:49:45.050145-04:00 lnxjfjuneau systemd[1]: sssd.service: Unit entered failed state. 2019-04-06T09:49:45.050321-04:00 lnxjfjuneau systemd[1]: sssd.service: Failed with result 'exit-code'. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c11 Johannes Weberhofer <jweberhofer@weberhofer.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jweberhofer@weberhofer.at --- Comment #11 from Johannes Weberhofer <jweberhofer@weberhofer.at> --- My intermediate fix is to roll back the update of libldb1 and lock the package. I guess there must be some influence on samba but I don't use it. At least my users can log in again: zypper in --oldpackage libldb1-1.2.3-lp150.2.3.1 zypper addlock libldb1-1.2.3-lp150.2.3.1.x86_64 Don't forget the remove the lock when the problem has been solved. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 Johannes Weberhofer <jweberhofer@weberhofer.at> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c12 --- Comment #12 from Johannes Weberhofer <jweberhofer@weberhofer.at> --- In my previous comment the proper command is: zypper addlock libldb1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c13 Michael Rath <rath@itsm.uni-stuttgart.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P1 - Urgent CC| |rath@itsm.uni-stuttgart.de --- Comment #13 from Michael Rath <rath@itsm.uni-stuttgart.de> --- Definitively a showstopper for all who are using sssd to authenticate. Workaround by going back to old version works, but either sssd should be updated to use new version (and the naming should be changed to 1.2.4) or patch should be backported to 1.2.3 (assuming this is really 1.2.4) for the not so good in fixing bugs themselves. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 H Harun <hharun@cs.ubc.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hharun@cs.ubc.ca -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 Martin Kofahl <martin.kofahl@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.kofahl@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c21 --- Comment #21 from Daniel Bischof <dbischof@hrz.uni-kassel.de> --- Todays updates (libldb1 1.2.4-lp150.10.1, Samba 4.7.11+git.153.b36ceaf2235-lp150.3.14.1) resolved the issue for me. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c26 Manfred Hupfer <mhupfer@franken-online.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Version|Leap 15.0 |Leap 15.3 Resolution|FIXED |--- --- Comment #26 from Manfred Hupfer <mhupfer@franken-online.de> --- This bug is now back with openSUSE 15.3 and a version mismatch between ldb2 2.4.2 and 2.4.1: Mai 14 18:41:17 yagi sssd[6425]: ldb: module version mismatch in ../../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=2.4.2 module_version=2.4.1 Mai 14 18:41:17 yagi sssd[6425]: ldb: failed to initialise module /usr/lib64/ldb2/modules/ldb/samba/acl.so : Unavailable Mai 14 18:41:17 yagi sssd[6425]: ldb: failed to initialise module /usr/lib64/ldb2/modules/ldb/samba : Unavailable Mai 14 18:41:17 yagi sssd[6425]: SSSD couldn't load the configuration database [5]: Input/output error. Mai 14 18:41:17 yagi systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION As mentioned in the forum, it goes away when uninstalling the package "samba-dsdb-modules" which is a dependency for package "samba-ad-dc". Also the workaround of deleting the symlink "/usr/lib64/ldb/samba" mentioned by user ameijeiras back in 2019 still works. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c27 --- Comment #27 from Manfred Hupfer <mhupfer@franken-online.de> --- Edit: the symlink to be deleted is "/usr/lib64/ldb/samba/usr/lib64/ldb/samba" now. -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com