Ubuntu
sssd package

/usr/sbin/sss_obfuscate fails to run: ImportError: No module named pysss

Bug #1862226 reported by Eric Desrochers
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Debian)
Fix Released
Unknown
sssd (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Medium
Dan Hill
Eoan
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

Current bionic d/control doesn't include "python3-sss" or "python-sss" as runtime dependency:

Package: sssd-tools
Architecture: any
Depends:
 python,
 sssd-common (= ${binary:Version}),
 ${misc:Depends},
 ${shlibs:Depends}
Description: System Security Services Daemon -- tools
 Provides a set of daemons to manage access to remote directories and
 authentication mechanisms. It provides an NSS and PAM interface toward
 the system and a pluggable backend system to connect to multiple different
 account sources. It is also the basis to provide client auditing and policy
 services for projects like FreeIPA.

Current workaround:
One can install the dependency by hand.

[Test Case]

# lsb_release -cs
bionic

# Install sssd-tools

# sss_obfuscate
Traceback (most recent call last):
  File "/usr/sbin/sss_obfuscate", line 8, in <module>
    import pysss
ImportError: No module named pysss

[Potential Regression]

* After adding the dependency, if one run let's say 'apt-get upgrade':

APT-GET(8) - upgrade:
under no circumstances are currently installed packages removed, or packages not already installed retrieved and installed.

Meaning that one who would go that route, may not be able to get the update and will continue to experience the problem (No module named pysss)

APT-GET(8) - dist-upgrade:
dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages

* Since sss_obfuscate never work out of the box (without one installing the missing dependency manually) ... first I don't expect a significant adoption/use of this binary, since it took years for one to discover it ... but since we are 'enabling' sss_obfuscate to finally work out of the box ... who knows what bugs can be found in sss_obfuscate that we didn't know before because it was simply not used.

Clearly autopkgtest doesn't test that functionnality, otherwsie it would have caught this before. Some dogfooding testing of sss_obfuscate in -proposed may be useful to catch potential bugs related to its "enablement". It should be trivial to test, the program does only one thing:

SSS_OBFUSCATE(8):
sss_obfuscate converts a given password into human-unreadable format and places it into appropriate domain section of the SSSD config file.

http://manpages.ubuntu.com/manpages/bionic/en/man8/sss_obfuscate.8.html

* Worst worst case, sss_obfuscate still won't work as it currently does anyway, and so far it didn't seems to be a major problem in the sssd ubuntu community. But with the dogfooding testing we should be good to catch any obvious irregularity.

It should be fine since disco uses the same upstream version and has the right dependendy, so sssd-tools in Bionic and Disco are very code alike.

[Other Infos]

* Debian upstream:
https://salsa.debian.org/sssd-team/sssd/commit/b41c0f81c6dcc672636220c46ed3d52f3b69ba7c

* Debian Bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905220

Rmadison:
=> sssd-tools | 1.16.1-1ubuntu1.4 | bionic-updates
   sssd-tools | 2.2.0-4ubuntu1 | eoan
   sssd-tools | 2.2.2-1 | focal
   sssd-tools | 2.2.2-1ubuntu1 | focal-proposed

See original description
Eric Desrochers (slashd)
tags: added: sts
description: updated
Eric Desrochers (slashd)
Changed in sssd (Ubuntu Eoan):
status: New → Fix Released
Changed in sssd (Ubuntu):
status: New → Fix Released
Changed in sssd (Ubuntu Bionic):
status: New → Confirmed
Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
description: updated
description: updated
Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
Changed in sssd (Ubuntu Bionic):
assignee: nobody → Dan Hill (hillpd)
importance: Undecided → Medium
Eric Desrochers (slashd)
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in sssd (Debian):
status: Unknown → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Did you investigate why this wasn't caught by the automatic depdendency generation? dh-python? I seem to remember a sed changed the shebang, maybe it did that too late?

Eric Desrochers (slashd)
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

The sed you are referring about is only found in focal:

sssd-2.2.2/debian/rules: sed -i -e 's:/usr/bin/python:/usr/bin/python3:' $(CURDIR)/debian/tmp/usr/sbin/sss_obfuscate

My understanding of "dh_python*" is that it will try to convert python dependencies from a source such as requirements.txt for instance.

If there is no existence of it in the src code (which seems to be the case in sssd) then I don't see how dh_python* can know about it, other than implicitly adding the Depends in d/control.

Revision history for this message
Eric Desrochers (slashd) wrote :

man page refers to 'requires.txt' file, which doesn't exist in the sssd src code.

Until I'm proven wrong, I don't think there is dependencies calculation that can be auto-magically done at the moment within current sssd pkg, unless one add the runtime dependency.

===
DH_PYTHON3(1)
===
...
NOTES
   dependencies
       dh_python3 tries to translate Python dependencies from the requires.txt file to Debian dependencies.
...

Eric Desrochers (slashd)
tags: added: sts-sponsor-dgadomski
Revision history for this message
Dan Hill (hillpd) wrote :
Changed in sssd (Ubuntu Bionic):
status: Confirmed → In Progress
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

This required promoting the python-sss binary to main, so I did that:
Override component to main
python-sss 1.16.1-1ubuntu1.4 in bionic amd64: universe/utils/extra/100% -> main
python-sss 1.16.1-1ubuntu1.4 in bionic arm64: universe/utils/extra/100% -> main
python-sss 1.16.1-1ubuntu1.4 in bionic armhf: universe/utils/extra/100% -> main
python-sss 1.16.1-1ubuntu1.4 in bionic i386: universe/utils/extra/100% -> main
python-sss 1.16.1-1ubuntu1.4 in bionic ppc64el: universe/utils/extra/100% -> main
python-sss 1.16.1-1ubuntu1.4 in bionic s390x: universe/utils/extra/100% -> main
Override [y|N]? y
6 publications overridden.

Revision history for this message
Eric Desrochers (slashd) wrote :

Thanks Lukasz,

$ lsb_release -cs
bionic

$ apt-cache policy python-sss
python-sss:
  Installed: (none)
  Candidate: 1.16.1-1ubuntu1.4
  Version table:
     1.16.1-1ubuntu1.4 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages

Eric Desrochers (slashd)
description: updated
description: updated
Eric Desrochers (slashd)
description: updated
description: updated
description: updated
description: updated
Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

I've just run a test against the modified version built in a ppa:
=== >8 ====
# apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  python-sss
The following packages will be upgraded:
  libipa-hbac0 libnss-sss libpam-sss libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 libsss-simpleifp0 libsss-sudo python3-sss sssd sssd-ad sssd-ad-common sssd-common
  sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools
20 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 2350 kB of archives.
After this operation, 539 kB of additional disk space will be used.
Do you want to continue? [Y/n] ^C
=== eof ===

So even running 'apt upgrade' pulls in the missing dependency.

I checked 'man apt':
"upgrade (...)
New packages will be installed if required to satisfy dependencies, but existing packages will never be removed."

So I guess that's consistent with what I observed. This makes it 1 less thing to worry about.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Eric, or anyone else affected,

Accepted sssd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.16.1-1ubuntu1.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Eric Desrochers (slashd) wrote :

[VERIFICATION BIONIC]

# lsb_release -cs
bionic

# Installed 'sssd-tools' from bionic-proposed

# dpkg
ii python-sss 1.16.1-1ubuntu1.5 amd64 Python module for the System Security Services Daemon
ii python3-sss 1.16.1-1ubuntu1.5 amd64 Python3 module for the System Security Services Daemon
ii sssd 1.16.1-1ubuntu1.5 amd64 System Security Services Daemon -- metapackage

# sss_obfuscate --help
-----------
Usage: sss_obfuscate [options]

sss_obfuscate converts a given password into
human-unreadable format and places it into
appropriate domain section of the SSSD config
file. The password can be passed in by stdin,
specified on the command-line or entered
interactively

Options:
  -h, --help show this help message and exit
  -s, --stdin Read the password from stdin.
  -d DOMNAME, --domain=DOMNAME
                        The domain to use the password in (mandatory)
  -f FILE, --file=FILE Set input file to FILE (default: Use system default,
                        usually /etc/sssd/sssd.conf)
----------

Look good so far.
Some dogfooding with 'sss_obfuscate' might be good to clarify the functionality works, but I confirmed the module import is fixed.

Revision history for this message
Eric Desrochers (slashd) wrote :

FYI....

I would wait until someone tested the tool w/ data to support the fact that the tool works as expected before considering any release.

Once we have a confirmation and/or data to support it. I'll be fine to change the tag and ask for its release.

Thanks !

Revision history for this message
Nick Niehoff (nniehoff) wrote :

I have tested this on bionic, the required dependencies are there and it adds the correct parameters to the sssd.conf file as described in the man page.

Nick Niehoff (nniehoff)
tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Eric Desrochers (slashd)
tags: removed: sts-sponsor-dgadomski
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

I think this was in -proposed long enough. Thanks for all the testing!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.16.1-1ubuntu1.5

---------------
sssd (1.16.1-1ubuntu1.5) bionic; urgency=medium

  * d/control: sssd-tools: Add missing python-sss dependency. (LP: #1862226)

 -- Dan Hill <email address hidden> Wed, 19 Feb 2020 16:17:19 -0700

Changed in sssd (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.