Bug 1457644

Summary: Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer
Product: Red Hat Enterprise Linux 7 Reporter: Amith <apeetham>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Amith <apeetham>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sgoveas, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.2-38.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:06:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SSSD Domain log file. none

Description Amith 2017-06-01 06:04:01 UTC 
Created attachment 1283991 [details]
SSSD Domain log file.

Description of problem:
This issue was fixed in rhel-7.3, see https://bugzilla.redhat.com/show_bug.cgi?id=1372753. 
It has resurfaced in 7.4 and is causing regression failures. Observed during the automated regression rounds on LDAP + KRB server setup. When access_provider = krb5 is set in sssd.conf, authentication fails for krb users with following error in /var/log/secure:

sshd[6003]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=testuser
sshd[6003]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied)
sshd[6003]: Failed password for testuser from ::1 port 34894 ssh2
sshd[6003]: fatal: Access denied for user testuser by PAM account configuration [preauth]

Version-Release number of selected component (if applicable):
sssd-1.15.2-37.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup a 389DS LDAP server and KRB server.

2. Add a testuser to LDAP server and add the same user to KRB server. See cmd below:
 # kadmin.local -q "addprinc -pw Secret123 testuser"

3. Setup a RHEL-7.3 SSSD client system with the following configuration:

SSSD.CONF File
--------------------------------------
[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP-KRB5

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP-KRB5]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://<LDAP_SERVER>
ldap_search_base = dc=example,dc=com
auth_provider = krb5
access_provider = krb5
krb5_server = <KRB_SERVER>
krb5_realm = EXAMPLE.COM

4. Execute user auth. (auth fails)

[root@rhel-74 sssd]# ssh -l testuser localhost
testuser@localhost's password: 
Authentication failed.


5. Now comment out or remove the line "access_provider = krb5" from sssd.conf. Clear the cache and restart sssd service.

6. Execute user auth (auth succeeds).


Actual results: User authentication failure


Expected results: Successful authentication.


Additional info:
I have attached SSSD_DOMAIN log file.
Comment 5 Jakub Hrozek 2017-06-01 07:57:06 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3418
Comment 6 Lukas Slebodnik 2017-06-01 12:14:41 UTC 
master:
* f772649cb8b624f4b4dfa5521f487ef38e3f8931
Comment 8 Amith 2017-06-13 12:55:08 UTC 
Verified the bug on SSSD Version: sssd-1.15.2-45.el7.x86_64

See the beaker job - https://beaker.engineering.redhat.com/jobs/1901887 output for automated KRB access provider tests:


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb access provider setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Command 'strict eval 'getent -s sss passwd testuser3'' (Expected 0, got 0)
:: [   PASS   ] :: Command 'strict eval 'getent -s sss passwd testuser4'' (Expected 0, got 0)
:: [   PASS   ] :: Command 'strict eval 'auth_success testuser3 Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: Command 'strict eval 'auth_success testuser4 Secret123'' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: krb access provider setup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: accessProvider_krb5_001 .k5login is an empty file.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'strict eval 'auth_failure testuser3 Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'pam_sss(sshd:auth): Request to sssd failed' 
:: [   PASS   ] :: File '/var/log/secure' should contain 'Failed password for testuser3' 
:: [   PASS   ] :: Command 'strict eval 'auth_success testuser4 Secret123'' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: accessProvider_krb5_001 .k5login is an empty file.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: accessProvider_krb5_002 .k5login has testuser3
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'strict eval 'auth_success testuser3 Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'pam_sss(sshd:auth): authentication success' 
:: [   PASS   ] :: File '/var/log/secure' should contain 'Accepted password for testuser3' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP-KRB5.log' should contain 'Access allowed for user \[testuser3' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: accessProvider_krb5_002 .k5login has testuser3

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: accessProvider_krb5_003 .k5login has testuser3 and testuser4
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'strict eval 'auth_success testuser3 Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/accessProvider_id_krb5_003.out' should contain 'testuser3' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: accessProvider_krb5_003 .k5login has testuser3 and testuser4

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: accessProvider_krb5_004 .k5login has testuser3 and testuser4 and testuser3 is deleted.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'strict eval 'auth_success testuser3 Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/accessProvider_id_krb5_004.out' should not contain 'testuser3' 
:: [   PASS   ] :: File '/tmp/accessProvider_id_krb5_004.out' should contain 'testuser4' 
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: accessProvider_krb5_004 .k5login has testuser3 and testuser4 and testuser3 is deleted.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Comment 9 errata-xmlrpc 2017-08-01 09:06:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294