Bug 1396485

Summary: sssd_be keeps crashing if id_provider=ad or ipa and auth_provider=krb5
Product: Red Hat Enterprise Linux 7 Reporter: Marcel Kolaja <mkolaja>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.3CC: ashbyj, cww, grajaiya, jhrozek, jstephen, lslebodn, minyu, mkolaja, mkosek, mupadhye, mzidek, pbrezina, sbose, sgoveas, sssd-maint, striker, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-43.el7_3.6 Doc Type: Bug Fix
Doc Text:
Previously, if the "ipa" or "ad" subdomain provider was set in the /etc/sssd/sssd.conf file, the System Security Services Daemon (SSSD) accessed only data that the respective authentication provider sets up. As a consequence, if the user configured the "ipa" or "ad" subdomain provider with a different authentication provider, SSSD accessed uninitialized memory and terminated unexpectedly. A patch has been applied and SSSD now only accesses data if the same authentication and subdomain provider are configured. As a result, SSSD no longer fails in the described scenario.
Story Points: ---
Clone Of: 1392444 Environment:
Last Closed: 2017-01-17 18:09:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1392444    
Bug Blocks:    

Description Marcel Kolaja 2016-11-18 13:13:09 UTC
This bug has been copied from bug #1392444 and has been proposed
to be backported to 7.3 z-stream (EUS).

Comment 5 Madhuri 2017-01-06 06:57:04 UTC
Tested with 
sssd-1.14.0-43.el7_3.11.x86_64

Steps followed during verification:
1) Configure sssd on client.
2) Set id_provider=ad and auth_provider= krb5 in sssd.conf.
3) Start the sssd service.

# cat  /etc/sssd/sssd.conf | grep provider
id_provider = ad
auth_provider = krb5

# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Thu 2017-01-05 12:33:31 EST; 5min ago
  Process: 4212 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
 Main PID: 4213 (sssd)
   CGroup: /system.slice/sssd.service
           ├─4213 /usr/sbin/sssd -D -f
           ├─4214 /usr/libexec/sssd/sssd_be --domain EXAMPLE.COM --uid 0 --gid 0 --debug-to-files
           ├─4215 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─4216 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 –debug-to-files

# getent passwd test@EXAMPLE.COM
test@EXAMPLE.COM:*:715401139:715400513:test:/home/EXAMPLE.COM/test:/bin/bash

# id test@EXAMPLE.COM
uid=715401139(test@EXAMPLE.COM) gid=715400513(domain users@EXAMPLE.COM) groups=715400513(domain users@EXAMPLE.COM)

Comment 6 Lukas Slebodnik 2017-01-11 13:35:40 UTC
*** Bug 1412170 has been marked as a duplicate of this bug. ***

Comment 8 errata-xmlrpc 2017-01-17 18:09:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0078.html