| Summary: | Crash of slapi-nis during ipa-adtrust-install | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Nalin Dahyabhai <nalin> |
| Component: | slapi-nis | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.5 | CC: | abokovoy, dpal, jgalipea, mkosek, nalin, spoore, tbabej |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | slapi-nis-0.40-6.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1043546 | Environment: | |
| Last Closed: | 2014-07-25 18:07:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1043546 | ||
| Bug Blocks: | 1061410 | ||
|
Description
Nalin Dahyabhai
2013-12-16 19:13:17 UTC
Just checking, isn't this Bug only applicable to the updated RHEL-7.0 slapi-nis? We only started triggering it on some systems while doing ipa-adtrust-install, but the bug in slapi-nis that it hit has been there since the very first release. Please add steps to verify I don't think we've seen the described crash on EL6, though that may be up to differences in how the memcpy() implementation being used differs between the releases. Actually, I'm not reproducing it on updated EL7, either.
The triggering scenario involved adding and then removing a single map, where the bug being hit during its removal would corrupt an internal array such that the plugin's subsequent attempts to manipulate its data would... go badly . An attempt to force this would probably involve adding many maps to the plugin's configuration and then removing them in the order in which they'd been added.
This test, however, isn't doing much more than chewing up connections on my EL6 box:
#!/bin/bash
managerpw=supersecretsecret
base=`grep ^basedn= /etc/ipa/default.conf | cut -f2- -d=`
domain=`grep ^domain= /etc/ipa/default.conf | cut -f2- -d=`
count=1025
for map in `seq $count`; do
ldapadd -h localhost -x -D "cn=directory manager" -w "$managerpw" <<- EOF
dn: nis-map=map$map+nis-domain=sub.example.com,cn=NIS Server,cn=plugins,cn=config
objectclass: extensibleObject
nis-map: map$map
nis-domain: sub.example.com
nis-base: cn=accounts,$base
nis-filter: objectclass=*
nis-keys-format: %{entrydn}
nis-values-format: %{modifyTimestamp}
nis-secure: no
EOF
done
for map in `seq $count`; do
for maps in `seq $map 32 $count`; do
ypcat -k -h localhost -d sub.example.com "map$maps" > /dev/null
done
ldapdelete -h localhost -x -D "cn=directory manager" -w "$managerpw" "nis-map=map$map+nis-domain=sub.example.com,cn=NIS Server,cn=plugins,cn=config"
done
This may end up having to be a sanity-only bug.
Unable to reproduce this error on either RHEL6.5 or RHEL6.6. I'm marking this one verified sanityonly.
Verified.
Version ::
slapi-nis-0.40-6.el6.x86_64
Results ::
[root@rhel6-1 ~]# ipa-adtrust-install --netbios-name=$IPA_NETBIOS -a Secret123
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.
This includes:
* Configure Samba
* Add trust related objects to FreeIPA LDAP server
To accept the default shown in brackets, press the Enter key.
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/18]: stopping smbd
[2/18]: creating samba domain object
[3/18]: creating samba config registry
[4/18]: writing samba config file
[5/18]: adding cifs Kerberos principal
[6/18]: adding cifs principal to S4U2Proxy targets
[7/18]: adding admin(group) SIDs
[8/18]: adding RID bases
[9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[10/18]: activating CLDAP plugin
[11/18]: activating sidgen plugin and task
[12/18]: activating extdom plugin
[13/18]: configuring smbd to start on boot
[14/18]: adding special DNS service records
[15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[16/18]: adding fallback group
[17/18]: setting SELinux booleans
[18/18]: starting CIFS services
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
TCP Ports:
* 389, 636: LDAP/LDAPS
You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.
=============================================================================
[root@rhel6-1 ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
ADTRUST Service: RUNNING
EXTID Service: RUNNING
[root@rhel6-1 ~]# grep -i segfault /var/log/ipaserver-install.log
[root@rhel6-1 ~]# grep -i segfaul /var/log/messages
[root@rhel6-1 ~]#
[root@rhel6-1 ~]# echo Secret123 | ipa-compat-manage enable
Plugin already Enabled
[root@rhel6-1 ~]# echo Secret123| ipa-nis-manage enable
Enabling plugin
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root@rhel6-1 ~]# service rpcbind restart
Stopping rpcbind: [ OK ]
Starting rpcbind: [ OK ]
[root@rhel6-1 ~]# service dirsrv restart
Shutting down dirsrv:
IPA1-EXAMPLE-TEST... [ OK ]
PKI-IPA... [ OK ]
Starting dirsrv:
IPA1-EXAMPLE-TEST... [ OK ]
PKI-IPA... [ OK ]
[root@rhel6-1 ~]# vi bz1
[root@rhel6-1 ~]# sh bz1 > bz.out 2>&1
[root@rhel6-1 ~]# abrt-cli list
[root@rhel6-1 ~]# grep -i segfault /var/log/ipaserver-install.log
[root@rhel6-1 ~]# grep -i segfaul /var/log/messages
[root@rhel6-1 ~]# cat bz1
#!/bin/bash
managerpw=Secret123
base=`grep ^basedn= /etc/ipa/default.conf | cut -f2- -d=`
domain=`grep ^domain= /etc/ipa/default.conf | cut -f2- -d=`
count=1025
for map in `seq $count`; do
ldapadd -h localhost -x -D "cn=directory manager" -w "$managerpw" <<-EOF
dn: nis-map=map$map+nis-domain=ipa1.example.test,cn=NIS Server,cn=plugins,cn=config
objectclass: extensibleObject
nis-map: map$map
nis-domain: ipa1.example.test
nis-base: cn=accounts,$base
nis-filter: objectclass=*
nis-keys-format: %{entrydn}
nis-values-format: %{modifyTimestamp}
nis-secure: no
EOF
done
for map in `seq $count`; do
for maps in `seq $map 32 $count`; do
ypcat -k -h localhost -d ipa1.example.test "map$maps" > /dev/null
done
ldapdelete -h localhost -x -D "cn=directory manager" -w "$managerpw" "nis-map=map$map+nis-domain=ipa1.example.test,cn=NIS Server,cn=plugins,cn=config"
done
|