Bug 1131686 - openSUSE-2019-1163 security update for ldb break sssd
openSUSE-2019-1163 security update for ldb break sssd
Status: RESOLVED DUPLICATE of bug 1199362
: 1131753 1131754 1131760 1131829 1132049 (view as bug list)
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Samba
Leap 15.3
64bit Other
: P5 - None : Critical with 8 votes (vote)
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
The 'Opening Windows to a Wider World' guys
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-05 11:30 UTC by alexis Pellicier
Modified: 2022-05-16 08:51 UTC (History)
17 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description alexis Pellicier 2019-04-05 11:30:42 UTC
After I applied  the openSUSE-2019-1163 security update for ldb sssd service crash at startup:

sssd[15186]:ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.4 module_version=1.2.3
sssd[15186]: ldb: failed to initialise module /usr/lib64/ldb/samba/acl.so : Unavailable
sssd[15186]: ldb: failed to initialise module /usr/lib64/ldb/samba : Unavailable
sssd: SSSD couldn't load the configuration database [5]: Input/output error.

I reverted it to previous version as a temporary workaround:

zypper in --oldpackage libldb1-1.2.3-lp150.2.3.1
Comment 1 Daniel Bischof 2019-04-05 12:00:31 UTC
Same here. This is a serious issue for me, since all my users are on IPA and without sssd, nobody is able to log in to their workstations.
Comment 2 Noel Power 2019-04-05 13:48:26 UTC
where did the update come from ?
is this really Leap.15 ?

This only ldb I see in updates is https://build.opensuse.org/package/show/openSUSE:Leap:15.0:Update/ldb which is libldb1-1.2.3
Comment 3 alexis Pellicier 2019-04-05 13:56:13 UTC
Yes it comes from opensuse official repo:

zypper lr -u

# | Alias           | Name            | Enabled | GPG Check | Refresh | URI   
1 | NON-OSS         | NON-OSS         | Yes     | (r ) Yes  | No      | http://download.opensuse.org/distribution/leap/15.0/repo/non-oss/                                                                                                                                              
2 | OSS             | OSS             | Yes     | (r ) Yes  | No      | http://download.opensuse.org/distribution/leap/15.0/repo/oss/                                                                                                                                                                     
3 | UPDATES-NON-OSS | UPDATES-NON-OSS | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/leap/15.0/non-oss                                       
4 | UPDATES-OSS     | UPDATES-OSS     | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/leap/15.0/oss                                           

zypper if libldb1
Loading repository data...
Reading installed packages...

Information for package libldb1:
--------------------------------
Repository     : UPDATES-OSS                                      
Name           : libldb1                                          
Version        : 1.2.3-lp150.7.2                                  
Arch           : x86_64                                           
Vendor         : openSUSE                                         
Installed Size : 343.2 KiB                                        
Installed      : Yes                                              
Status         : out-of-date (version 1.2.3-lp150.2.3.1 installed)
Source package : ldb-1.2.3-lp150.7.2.src                          
Summary        : An LDAP-like embedded database                   
Description    :                                                  
    LDB is an LDAP-like embedded database.

    This package includes the ldb1 library.
Comment 4 Wolfgang Bauer 2019-04-05 14:04:04 UTC
Looks like it's actually 1.2.4 though:
wolfi@linux-lf90:~> rpm -ql libldb1
/usr/lib64/ldb
/usr/lib64/ldb/asq.so
/usr/lib64/ldb/paged_results.so
/usr/lib64/ldb/paged_searches.so
/usr/lib64/ldb/rdn_name.so
/usr/lib64/ldb/sample.so
/usr/lib64/ldb/server_sort.so
/usr/lib64/ldb/skel.so
/usr/lib64/ldb/tdb.so
/usr/lib64/libldb.so.1
/usr/lib64/libldb.so.1.2.4
wolfi@linux-lf90:~> rpm -q libldb1
libldb1-1.2.3-lp150.7.2.x86_64
Comment 6 William Brown 2019-04-05 23:37:09 UTC
Seeing the same here:

Apr 06 09:28:04 lazuli systemd[1]: Starting System Security Services Daemon...
Apr 06 09:28:04 lazuli sssd[22634]: ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.4 module_version=1.2.3
Apr 06 09:28:04 lazuli sssd[22634]: ldb: failed to initialise module /usr/lib64/ldb/samba/acl.so : Unavailable
Apr 06 09:28:04 lazuli sssd[22634]: ldb: failed to initialise module /usr/lib64/ldb/samba : Unavailable
Apr 06 09:28:04 lazuli sssd[22634]: SSSD couldn't load the configuration database [5]: Input/output error.
Apr 06 09:28:04 lazuli systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Apr 06 09:28:04 lazuli systemd[1]: Failed to start System Security Services Daemon.
Apr 06 09:28:04 lazuli systemd[1]: sssd.service: Unit entered failed state.
Apr 06 09:28:04 lazuli systemd[1]: sssd.service: Failed with result 'exit-code'.

This is on transactional-server, fully update with up/dup. Versions are:

openSUSE-release-15.0-lp150.129.1.x86_64
samba-libs-4.7.10+git.124.8d97fe90926-lp150.3.9.1.x86_64
sssd-1.16.1-lp150.2.9.1.x86_64

No further updates are available to me at this time:

lazuli:~ # transactional-update dup
Checking for newer version.
transactional-update 2.11 started
Options: dup
Separate /var detected.
Separate /etc detected.
zypper: nothing to update
transactional-update finished
Comment 7 Marcus Meissner 2019-04-06 14:04:24 UTC
*** Bug 1131753 has been marked as a duplicate of this bug. ***
Comment 8 Marcus Meissner 2019-04-06 14:04:39 UTC
*** Bug 1131754 has been marked as a duplicate of this bug. ***
Comment 9 Jean-François Juneau 2019-04-06 14:15:46 UTC
Same here, could not log in to the Active Directory domain from my openSUSE Leap 15 laptop this morning because the SSSD service was unable to start (reverting libldb1 to 1.2.3-lp150.2.3.1 fixes the issue):

2019-04-06T09:49:44.913043-04:00 lnxjfjuneau sssd[1235]: ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.4 module_version=1.2.3
2019-04-06T09:49:44.913378-04:00 lnxjfjuneau sssd[1235]: ldb: failed to initialise module /usr/lib64/ldb/samba/acl.so : Unavailable
2019-04-06T09:49:44.916528-04:00 lnxjfjuneau sssd[1235]: ldb: failed to initialise module /usr/lib64/ldb/samba : Unavailable
2019-04-06T09:49:44.918134-04:00 lnxjfjuneau sssd: SSSD couldn't load the configuration database [5]: Input/output error.
2019-04-06T09:49:45.049363-04:00 lnxjfjuneau systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
2019-04-06T09:49:45.050145-04:00 lnxjfjuneau systemd[1]: sssd.service: Unit entered failed state.
2019-04-06T09:49:45.050321-04:00 lnxjfjuneau systemd[1]: sssd.service: Failed with result 'exit-code'.
Comment 10 Marcus Meissner 2019-04-07 07:25:39 UTC
*** Bug 1131760 has been marked as a duplicate of this bug. ***
Comment 11 Johannes Weberhofer 2019-04-08 08:29:43 UTC
My intermediate fix is to roll back the update of libldb1 and lock the package. 
I guess there must be some influence on samba but I don't use it. At least my users can log in again:

zypper in --oldpackage libldb1-1.2.3-lp150.2.3.1
zypper addlock libldb1-1.2.3-lp150.2.3.1.x86_64

Don't forget the remove the lock when the problem has been solved.
Comment 12 Johannes Weberhofer 2019-04-08 08:40:13 UTC
In my previous comment the proper command is:

zypper addlock libldb1
Comment 13 Michael Rath 2019-04-08 09:37:48 UTC
Definitively a showstopper for all who are using sssd to authenticate.
Workaround by going back to old version works, but either sssd should be updated to use new version (and the naming should be changed to 1.2.4) or patch should be backported to 1.2.3 (assuming this is really 1.2.4) for the not so good in fixing bugs themselves.
Comment 14 Marcus Meissner 2019-04-08 12:41:31 UTC
I am trying to expedite a fix release together with today Samba security release :/
Comment 17 James McDonough 2019-04-09 11:17:55 UTC
*** Bug 1131829 has been marked as a duplicate of this bug. ***
Comment 18 Andreas Stieger 2019-04-09 14:36:14 UTC
Test update packages are are available in the repositories below, in case anyone would like to verify the fix or deploy early.
http://download.opensuse.org/repositories/openSUSE:/Maintenance:/9994/openSUSE_Leap_15.0_Update/
http://download.opensuse.org/update/leap/15.0-test/x86_64/
Comment 19 Klaus Slott 2019-04-09 15:23:32 UTC
Thanks. Works for me.
Comment 21 Daniel Bischof 2019-04-10 08:56:09 UTC
Todays updates (libldb1 1.2.4-lp150.10.1, Samba 4.7.11+git.153.b36ceaf2235-lp150.3.14.1) resolved the issue for me.
Comment 22 Swamp Workflow Management 2019-04-10 10:10:16 UTC
openSUSE-SU-2019:1180-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1114407,1124223,1125410,1126377,1131060,1131686
CVE References: CVE-2019-3880
Sources used:
openSUSE Leap 15.0 (src):    ldb-1.2.4-lp150.10.1, samba-4.7.11+git.153.b36ceaf2235-lp150.3.14.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 23 Marcus Meissner 2019-04-10 14:47:23 UTC
*** Bug 1132049 has been marked as a duplicate of this bug. ***
Comment 24 Marcus Meissner 2019-04-10 14:47:39 UTC
fix released
Comment 25 Swamp Workflow Management 2019-04-25 22:10:28 UTC
SUSE-SU-2019:1040-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1114407,1124223,1125410,1126377,1131060,1131686
CVE References: CVE-2019-3880
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    avahi-0.6.32-5.5.3, samba-4.7.11+git.153.b36ceaf2235-4.27.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    avahi-0.6.32-5.5.3, avahi-glib2-0.6.32-5.5.8, gnutls-3.6.2-6.5.4, ldb-1.2.4-3.12.1, libnettle-3.4.1-4.9.1, samba-4.7.11+git.153.b36ceaf2235-4.27.1, tdb-1.3.15-3.6.3, tevent-0.9.36-4.10.3
SUSE Linux Enterprise Module for Development Tools 15 (src):    cups-2.2.7-3.11.7
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    avahi-0.6.32-5.5.3, avahi-glib2-0.6.32-5.5.8, cups-2.2.7-3.11.7, gnutls-3.6.2-6.5.4, libnettle-3.4.1-4.9.1, libtasn1-4.13-4.2.1, p11-kit-0.23.2-4.2.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    avahi-0.6.32-5.5.3, avahi-glib2-0.6.32-5.5.8, cups-2.2.7-3.11.7, gamin-devel-0.1.10-3.2.3, gnutls-3.6.2-6.5.4, ldb-1.2.4-3.12.1, libnettle-3.4.1-4.9.1, libtasn1-4.13-4.2.1, p11-kit-0.23.2-4.2.1, samba-4.7.11+git.153.b36ceaf2235-4.27.1, talloc-2.1.11-3.5.3, talloc-man-2.1.11-3.5.3, tdb-1.3.15-3.6.3, tevent-0.9.36-4.10.3, tevent-man-0.9.36-4.10.3
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.153.b36ceaf2235-4.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Manfred Hupfer 2022-05-14 18:17:58 UTC
This bug is now back with openSUSE 15.3 and a version mismatch between ldb2 2.4.2 and 2.4.1:

Mai 14 18:41:17 yagi sssd[6425]: ldb: module version mismatch in ../../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=2.4.2 module_version=2.4.1
Mai 14 18:41:17 yagi sssd[6425]: ldb: failed to initialise module /usr/lib64/ldb2/modules/ldb/samba/acl.so : Unavailable
Mai 14 18:41:17 yagi sssd[6425]: ldb: failed to initialise module /usr/lib64/ldb2/modules/ldb/samba : Unavailable
Mai 14 18:41:17 yagi sssd[6425]: SSSD couldn't load the configuration database [5]: Input/output error.
Mai 14 18:41:17 yagi systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION

As mentioned in the forum, it goes away when uninstalling the package "samba-dsdb-modules" which is a dependency for package "samba-ad-dc". 

Also the workaround of deleting the symlink "/usr/lib64/ldb/samba" mentioned by user ameijeiras back in 2019 still works.
Comment 27 Manfred Hupfer 2022-05-14 18:23:27 UTC
Edit: the symlink to be deleted is "/usr/lib64/ldb/samba/usr/lib64/ldb/samba" now.
Comment 28 Samuel Cabrero 2022-05-16 08:51:03 UTC
Hi Manfred,

we have updated the samba-dsdb-modules package to use the "%requires_eq" RPM macro to generate the libldb2 dependency at build time, which should prevent this issue to happen again in the future.

https://build.opensuse.org/request/show/976581

This change has been applied to 15.3, 15.4 and tumbleweed.

*** This bug has been marked as a duplicate of bug 1199362 ***