Bug 1071823

Summary: sssd_be[1507]: segfault at 8 ip 000000000040f68c sp 00007fff22d76f30 error 4 in sssd_be[400000+8c000]
Product: Red Hat Enterprise Linux 6 Reporter: Christian Horn <chorn>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: brian.murrell, dpal, grajaiya, jagee, jgalipea, lslebodn, mkosek, pbrezina, preichl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.11.5.1-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Hostid backend was used even when unconfigured Consequence: SSSD crashes when connecting via ssh Fix: Check that hostid backend is configured properly Result: SSSD no longer crashes when hostid backend is not configured
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:48:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1051164    
Bug Blocks: 994246    
Attachments:
Description Flags
sosreport of affected system
none
coredump
none
sosreport of affected system. sssd-1.9.2-129.el6 from RHEL6.5GA used none

Description Christian Horn 2014-03-03 08:56:31 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Christian Horn 2014-03-03 09:00:17 UTC 
Sorry, one "return" too much.

Description of problem:
  sssd_be segfault

Version-Release number of selected component (if applicable):
  current

How reproducible:
  always

Steps to Reproduce:
1. deploy SSSD and sssd.conf from sosreport
2. prepare pam config as per sosreport (basically deployed by authconfig to use sssd)
3. start sssd
4. "ssh chorn@localhost"

Actual results:
Mar  3 08:49:57 rhel6u4a kernel: sssd_be[1507]: segfault at 8 ip 000000000040f68c sp 00007fff22d76f30 error 4 in sssd_be[400000+8c000]
Mar  3 08:49:58 rhel6u4a abrt[1514]: Saved core dump of pid 1507 (/usr/libexec/sssd/sssd_be) to /var/spool/abrt/ccpp-2014-03-03-08:49:57-1507 (1253376 bytes)
Mar  3 08:49:58 rhel6u4a abrtd: Directory 'ccpp-2014-03-03-08:49:57-1507' creation detected
Mar  3 08:49:58 rhel6u4a sssd[be[fluxcoil.net]]: Starting up
Mar  3 08:49:59 rhel6u4a abrtd: Package 'sssd' isn't signed with proper key
Mar  3 08:49:59 rhel6u4a abrtd: 'post-create' on '/var/spool/abrt/ccpp-2014-03-03-08:49:57-1507' exited with 1
Mar  3 08:49:59 rhel6u4a abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2014-03-03-08:49:57-1507'


Expected results:
No segfault

Additional info:
I can also supply the KVM guest who contains this, in case it turns out harder to reproduce than asumed.
Comment 3 Christian Horn 2014-03-03 09:02:42 UTC 
Created attachment 869858 [details]
sosreport of affected system
Comment 4 Christian Horn 2014-03-03 09:11:00 UTC 
Created attachment 869860 [details]
coredump
Comment 5 Christian Horn 2014-03-03 09:14:16 UTC 
Created attachment 869861 [details]
sosreport of affected system. sssd-1.9.2-129.el6 from RHEL6.5GA used
Comment 6 Jakub Hrozek 2014-03-03 09:21:32 UTC 
Pavel, can you try and reproduce the bug using Christian's config?
Comment 7 Pavel Reichl 2014-03-05 10:46:12 UTC 
To replicate the bug it was needed to have:

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

in /etc/ssh/sshd_config

The bug itself is reproducible only in SSSD 1.9 because in later releases it was fixed by:

https://git.fedorahosted.org/cgit/sssd.git/commit/?id=3082504f4fb4e4efdc50c99369204e5b2cfac40e

SSSD 1.11 should be soon supported on RHEL 6.5 so there is probably no need for any other action.
Comment 8 Christian Horn 2014-03-05 12:51:10 UTC 
(In reply to Pavel Reichl from comment #7)
> To replicate the bug it was needed to have:
> 
> GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
> PubkeyAuthentication yes
> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
> 
> in /etc/ssh/sshd_config
Good investigation!
I think these are the defaults deployed from kickstart.. did you have tuned these on your testsystem then and thus not hit the issue initially?

> The bug itself is reproducible only in SSSD 1.9 because in later releases it
> was fixed by:
> https://git.fedorahosted.org/cgit/sssd.git/commit/
> ?id=3082504f4fb4e4efdc50c99369204e5b2cfac40e
I have the issue documented in kbase https://access.redhat.com/site/solutions/745093 so we have good chances that others hitting this will map it easily to the bz here.

> SSSD 1.11 should be soon supported on RHEL 6.5 so there is probably no need
> for any other action.
Rebase is planned inside of 6.5.z stream then?  Sounds quite heavy for happening inside of a z-stream..

For me it sounds ok to wait for a rebase to solve this, we have not yet seen this in customer environments.
Comment 9 Pavel Reichl 2014-03-05 13:10:13 UTC 
Sorry for misunderstanding, I meant that it will be solved on next RHEL 6 release bz1051164 (no 6.5.z stream is planned).

> I think these are the defaults deployed from kickstart.. did you have tuned 
> these on your testsystem then and thus not hit the issue initially?

They were not in my default sshd_config.
Comment 10 Christian Horn 2014-03-05 13:13:33 UTC 
(In reply to Pavel Reichl from comment #9)
> Sorry for misunderstanding, I meant that it will be solved on next RHEL 6
> release bz1051164 (no 6.5.z stream is planned).
Ok, thanks for clearing up.
Comment 11 Jakub Hrozek 2014-03-05 13:44:17 UTC 
(In reply to Christian Horn from comment #8)
> > SSSD 1.11 should be soon supported on RHEL 6.5 so there is probably no need
> > for any other action.
> Rebase is planned inside of 6.5.z stream then?  Sounds quite heavy for
> happening inside of a z-stream..
> 
> For me it sounds ok to wait for a rebase to solve this, we have not yet seen
> this in customer environments.

No, the rebase is coming up in 6.6. We would backport this specific fix in case a customer hits the issue.

FWIW, the SSSD has a mechanism to restart the worker processes in case of a failure. So even though a segfault is bad, it should only disrupt the one operation in progress, not the whole setup.
Comment 12 Jakub Hrozek 2014-03-05 16:08:26 UTC 
The upstream fix was 3082504f4fb4e4efdc50c99369204e5b2cfac40e
Comment 13 Jakub Hrozek 2014-03-17 21:55:11 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1751
Comment 15 Brian J. Murrell 2014-05-04 18:46:17 UTC 
(In reply to Jakub Hrozek from comment #11)
> We would backport this specific fix in
> case a customer hits the issue.

It is: 1093795.
Comment 16 Jakub Hrozek 2014-05-05 13:17:21 UTC 
*** Bug 1093795 has been marked as a duplicate of this bug. ***
Comment 17 Jeremy Agee 2014-09-12 21:14:05 UTC 
Marking verified.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: sss_ssh_knownhostsproxy001: bz 1071823 segfault when HostID back end target is not configured
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'ssh_user_password_login sshtestuser Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/messages' should not contain 'sssd_be\[[0-9]*\]: segfault' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'HostID back end target is not configured' 
:: [   LOG    ] :: Duration: 13s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: sss_ssh_knownhostsproxy001: bz 1071823 segfault when HostID back end target is not configured
Comment 18 errata-xmlrpc 2014-10-14 04:48:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html