Bloodfire
Bloodfire
PostsComments
UBUniversal Blue
Created by Bloodfire on 1/9/2025 in #🛟bazzite-help
SSSD broken, unable to login since capabilities changes made to sssd-2.10.1
SSSD is currently broken in bazzite, meaning you can't login when using LDAP/FreeIPA/etc. Bazzite issue here: https://github.com/ublue-os/bazzite/issues/2030 This had a fix pushed through via rechunk here: https://github.com/hhd-dev/rechunk/pull/9 However, rechunk changes are not applying in the images built. You can see this here: https://github.com/ublue-os/bazzite/issues/2088 Right now this means anyone not using local login is stuck on 41.20241216.0 until the build-bot is fixed to appropriately apply the fix merged in the above PR. 
# Capabilities currently:
getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

# Expected capabilities as per upstream changes:
/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p 
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p
# Capabilities currently:
getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

# Expected capabilities as per upstream changes:
/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p 
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p
Hopefully the build bot can be fixed soon as this is a breaking change that prevents upgrades.
23 replies