Bug#607278: sssd and ssl/starttls problem

[korter]

Package: sssd
Version: 1.2.1-4
Severity: important

sssd fails to make ssl or starttls connection while trying to  
authenticate users. When getting usernames or groups, there is no  
problem.
Also using same ssl setting ldapsearch -x -Z has succesful response.
redhat-ds sees:
[16/Dec/2010:15:59:43 +0200] conn=24362 fd=208 slot=208 SSL connection  
from client to server
[16/Dec/2010:15:59:43 +0200] conn=24363 fd=365 slot=365 SSL connection  
from client to server
[16/Dec/2010:15:59:43 +0200] conn=24364 fd=435 slot=435 SSL connection  
from client to server
[16/Dec/2010:15:59:43 +0200] conn=24363 op=-1 fd=365 closed -  
Encountered end of file.
[16/Dec/2010:15:59:43 +0200] conn=24362 op=-1 fd=208 closed -  
Encountered end of file.
[16/Dec/2010:15:59:43 +0200] conn=24364 op=-1 fd=435 closed -  
Encountered end of file.

sssd with debuglevel 10 sees while using start tls:
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]] [sdap_connect_send] (4):  
Executing START TLS
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]]  
[sdap_ldap_connect_callback_add] (9): New LDAP connection to  
[ldap://server:389] with fd [22].
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]] [sdap_process_result] (8):  
Trace: sh[0x9a7def0], connected[1], ops[0x9a87c70], ldap[0x9a7e4a0]
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]] [sdap_connect_done] (3):  
START TLS result: Success(0), Start TLS request accepted.Server  
willing to negotiate SSL.
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]] [sdap_connect_done] (3):  
ldap_install_tls failed: [Connect error] [Start TLS request  
accepted.Server willing to negotiate SSL.]
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]] [sdap_handle_release] (8):  
Trace: sh[0x9a7def0], connected[1], ops[(nil)], ldap[0x9a7e4a0],  
destructor_lock[0], release_memory[0]
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]]  
[remove_connection_callback] (9): Successfully removed connection  
callback.
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]] [fo_set_port_status] (4):  
Marking port 389 of server 'server' as 'not working'
(Thu Dec 16 17:26:55 2010) [sssd[be[SMIT]]] [ldap_id_enum_users_done]  
(9): User enumeration failed with: (5)[Input/output error]

sssd with debuglevel 10 sees while using ldaps ssl setup:
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [sdap_uri_callback] (6):  
Constructed uri 'ldaps://server'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [sdap_uri_callback] (6):  
Constructed uri 'ldaps://server'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [sdap_uri_callback] (6):  
Constructed uri 'ldaps://server'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [sdap_get_rootdse_send]  
(9): Getting rootdse
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [sdap_get_generic_send]  
(6): calling ldap_search_ext with [(objectclass=*)][].
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]]  
[sdap_ldap_connect_callback_add] (9): New LDAP connection to  
[ldaps://server:636] with fd [24].
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [sdap_get_generic_send]  
(3): ldap_search_ext failed: Can't contact LDAP server
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [fo_set_port_status] (4):  
Marking port 636 of server 'server' as 'not working'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [fo_resolve_service_send]  
(4): Trying to resolve service 'LDAP'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [get_server_status] (7):  
Status of server 'server' is 'name resolved'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [get_port_status] (7):  
Port status of port 636 for server 'server' is 'not working'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [get_server_status] (7):  
Status of server 'server' is 'name resolved'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [get_port_status] (7):  
Port status of port 636 for server 'server' is 'not working'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [get_server_status] (7):  
Status of server 'server' is 'name resolved'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [get_port_status] (7):  
Port status of port 636 for server 'server' is 'not working'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [fo_resolve_service_send]  
(1): No available servers for service 'LDAP'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [fo_set_port_status] (4):  
Marking port 636 of server 'server' as 'not working'
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]] [sdap_handle_release] (8):  
Trace: sh[0x9884c78], connected[1], ops[(nil)], ldap[0x988d958],  
destructor_lock[0], release_memory[0]
(Thu Dec 16 17:58:59 2010) [sssd[be[SMIT]]]  
[remove_connection_callback] (9): Successfully removed connection  
callback.


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sssd depends on:
ii  libc-ares2     1.7.3-1                   library for asyncronous  
name resol
ii  libc6          2.11.2-7                  Embedded GNU C Library:  
Shared lib
ii  libcomerr2     1.41.12-2                 common error description library
ii  libdbus-1-3    1.2.24-3                  simple interprocess  
messaging syst
ii  libk5crypto3   1.8.3+dfsg-3              MIT Kerberos runtime  
libraries - C
ii  libkrb5-3      1.8.3+dfsg-3              MIT Kerberos runtime libraries
ii  libldap-2.4-2  2.4.23-7                  OpenLDAP libraries
ii  libldb0        1:0.9.10~git20100203-1+b1 LDAP-like embedded  
database - shar
ii  libnspr4-0d    4.8.6-1                   NetScape Portable Runtime Library
ii  libnss3-1d     3.12.8-1                  Network Security Service  
libraries
ii  libpam0g       1.1.1-6.1                 Pluggable Authentication  
Modules l
ii  libpcre3       8.02-1.1                  Perl 5 Compatible Regular  
Expressi
ii  libpopt0       1.16-1                    lib for parsing cmdline  
parameters
ii  libselinux1    2.0.96-1                  SELinux runtime shared libraries
ii  libsemanage1   2.0.45-1                  SELinux policy management  
library.
ii  libtalloc2     2.0.1-1                   hierarchical pool based  
memory all
ii  libtdb1        1.2.1-2+b1                Trivial Database - shared library
ii  libtevent0     0.9.8-1+b1                talloc-based event loop library -
ii  python         2.6.6-3+squeeze2          interactive high-level  
object-orie
ii  python-sss     1.2.1-4                   Pam module for the System  
Security

Versions of packages sssd recommends:
ii  bind9-host             1:9.6.1.dfsg.P3-1 Version of 'host' bundled  
with BIN
ii  ldap-utils             2.4.23-7          OpenLDAP utilities

Versions of packages sssd suggests:
ii  libnss-sss                    1.2.1-4    Nss library for the  
System Securit
ii  libpam-sss                    1.2.1-4    Pam module for the System  
Security

-- Configuration Files:
/etc/init.d/sssd changed [not included]

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org