http://bugzilla.opensuse.org/show_bug.cgi?id=1131686
Bug ID: 1131686 Summary: openSUSE-2019-1163 security update for ldb break sssd Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: 64bit OS: Other Status: NEW Severity: Critical Priority: P5 - None Component: Samba Assignee: samba-maintainers@SuSE.de Reporter: pellice@gmail.com QA Contact: samba-maintainers@SuSE.de Found By: --- Blocker: ---
After I applied the openSUSE-2019-1163 security update for ldb sssd service crash at startup:
sssd[15186]:ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.4 module_version=1.2.3 sssd[15186]: ldb: failed to initialise module /usr/lib64/ldb/samba/acl.so : Unavailable sssd[15186]: ldb: failed to initialise module /usr/lib64/ldb/samba : Unavailable sssd: SSSD couldn't load the configuration database [5]: Input/output error.
I reverted it to previous version as a temporary workaround:
zypper in --oldpackage libldb1-1.2.3-lp150.2.3.1
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c1
Daniel Bischof dbischof@hrz.uni-kassel.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dbischof@hrz.uni-kassel.de
--- Comment #1 from Daniel Bischof dbischof@hrz.uni-kassel.de --- Same here. This is a serious issue for me, since all my users are on IPA and without sssd, nobody is able to log in to their workstations.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c2
Noel Power nopower@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |nopower@suse.com
--- Comment #2 from Noel Power nopower@suse.com --- where did the update come from ? is this really Leap.15 ?
This only ldb I see in updates is https://build.opensuse.org/package/show/openSUSE:Leap:15.0:Update/ldb which is libldb1-1.2.3
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c3
--- Comment #3 from alexis Pellicier pellice@gmail.com --- Yes it comes from opensuse official repo:
zypper lr -u
# | Alias | Name | Enabled | GPG Check | Refresh | URI 1 | NON-OSS | NON-OSS | Yes | (r ) Yes | No | http://download.opensuse.org/distribution/leap/15.0/repo/non-oss/ 2 | OSS | OSS | Yes | (r ) Yes | No | http://download.opensuse.org/distribution/leap/15.0/repo/oss/ 3 | UPDATES-NON-OSS | UPDATES-NON-OSS | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.0/non-oss 4 | UPDATES-OSS | UPDATES-OSS | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.0/oss
zypper if libldb1 Loading repository data... Reading installed packages...
Information for package libldb1: -------------------------------- Repository : UPDATES-OSS Name : libldb1 Version : 1.2.3-lp150.7.2 Arch : x86_64 Vendor : openSUSE Installed Size : 343.2 KiB Installed : Yes Status : out-of-date (version 1.2.3-lp150.2.3.1 installed) Source package : ldb-1.2.3-lp150.7.2.src Summary : An LDAP-like embedded database Description : LDB is an LDAP-like embedded database.
This package includes the ldb1 library.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c4
Wolfgang Bauer wbauer@tmo.at changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |wbauer@tmo.at
--- Comment #4 from Wolfgang Bauer wbauer@tmo.at --- Looks like it's actually 1.2.4 though: wolfi@linux-lf90:~> rpm -ql libldb1 /usr/lib64/ldb /usr/lib64/ldb/asq.so /usr/lib64/ldb/paged_results.so /usr/lib64/ldb/paged_searches.so /usr/lib64/ldb/rdn_name.so /usr/lib64/ldb/sample.so /usr/lib64/ldb/server_sort.so /usr/lib64/ldb/skel.so /usr/lib64/ldb/tdb.so /usr/lib64/libldb.so.1 /usr/lib64/libldb.so.1.2.4 wolfi@linux-lf90:~> rpm -q libldb1 libldb1-1.2.3-lp150.7.2.x86_64
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c9
Jean-François Juneau jfjuneau@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jfjuneau@gmail.com
--- Comment #9 from Jean-François Juneau jfjuneau@gmail.com --- Same here, could not log in to the Active Directory domain from my openSUSE Leap 15 laptop this morning because the SSSD service was unable to start (reverting libldb1 to 1.2.3-lp150.2.3.1 fixes the issue):
2019-04-06T09:49:44.913043-04:00 lnxjfjuneau sssd[1235]: ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.4 module_version=1.2.3 2019-04-06T09:49:44.913378-04:00 lnxjfjuneau sssd[1235]: ldb: failed to initialise module /usr/lib64/ldb/samba/acl.so : Unavailable 2019-04-06T09:49:44.916528-04:00 lnxjfjuneau sssd[1235]: ldb: failed to initialise module /usr/lib64/ldb/samba : Unavailable 2019-04-06T09:49:44.918134-04:00 lnxjfjuneau sssd: SSSD couldn't load the configuration database [5]: Input/output error. 2019-04-06T09:49:45.049363-04:00 lnxjfjuneau systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION 2019-04-06T09:49:45.050145-04:00 lnxjfjuneau systemd[1]: sssd.service: Unit entered failed state. 2019-04-06T09:49:45.050321-04:00 lnxjfjuneau systemd[1]: sssd.service: Failed with result 'exit-code'.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c11
Johannes Weberhofer jweberhofer@weberhofer.at changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jweberhofer@weberhofer.at
--- Comment #11 from Johannes Weberhofer jweberhofer@weberhofer.at --- My intermediate fix is to roll back the update of libldb1 and lock the package. I guess there must be some influence on samba but I don't use it. At least my users can log in again:
zypper in --oldpackage libldb1-1.2.3-lp150.2.3.1 zypper addlock libldb1-1.2.3-lp150.2.3.1.x86_64
Don't forget the remove the lock when the problem has been solved.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686
Johannes Weberhofer jweberhofer@weberhofer.at changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c12
--- Comment #12 from Johannes Weberhofer jweberhofer@weberhofer.at --- In my previous comment the proper command is:
zypper addlock libldb1
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c13
Michael Rath rath@itsm.uni-stuttgart.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P1 - Urgent CC| |rath@itsm.uni-stuttgart.de
--- Comment #13 from Michael Rath rath@itsm.uni-stuttgart.de --- Definitively a showstopper for all who are using sssd to authenticate. Workaround by going back to old version works, but either sssd should be updated to use new version (and the naming should be changed to 1.2.4) or patch should be backported to 1.2.3 (assuming this is really 1.2.4) for the not so good in fixing bugs themselves.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686
H Harun hharun@cs.ubc.ca changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hharun@cs.ubc.ca
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686
Martin Kofahl martin.kofahl@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.kofahl@gmail.com
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c21
--- Comment #21 from Daniel Bischof dbischof@hrz.uni-kassel.de --- Todays updates (libldb1 1.2.4-lp150.10.1, Samba 4.7.11+git.153.b36ceaf2235-lp150.3.14.1) resolved the issue for me.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c26
Manfred Hupfer mhupfer@franken-online.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Version|Leap 15.0 |Leap 15.3 Resolution|FIXED |---
--- Comment #26 from Manfred Hupfer mhupfer@franken-online.de --- This bug is now back with openSUSE 15.3 and a version mismatch between ldb2 2.4.2 and 2.4.1:
Mai 14 18:41:17 yagi sssd[6425]: ldb: module version mismatch in ../../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=2.4.2 module_version=2.4.1 Mai 14 18:41:17 yagi sssd[6425]: ldb: failed to initialise module /usr/lib64/ldb2/modules/ldb/samba/acl.so : Unavailable Mai 14 18:41:17 yagi sssd[6425]: ldb: failed to initialise module /usr/lib64/ldb2/modules/ldb/samba : Unavailable Mai 14 18:41:17 yagi sssd[6425]: SSSD couldn't load the configuration database [5]: Input/output error. Mai 14 18:41:17 yagi systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
As mentioned in the forum, it goes away when uninstalling the package "samba-dsdb-modules" which is a dependency for package "samba-ad-dc".
Also the workaround of deleting the symlink "/usr/lib64/ldb/samba" mentioned by user ameijeiras back in 2019 still works.
http://bugzilla.opensuse.org/show_bug.cgi?id=1131686 http://bugzilla.opensuse.org/show_bug.cgi?id=1131686#c27
--- Comment #27 from Manfred Hupfer mhupfer@franken-online.de --- Edit: the symlink to be deleted is "/usr/lib64/ldb/samba/usr/lib64/ldb/samba" now.
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com