Bug 1661183
Summary: | SSSD 2.0 has drastically lower sbus timeout than 1.x, this can result in time outs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Steeve Goveas <sgoveas> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | grajaiya, jhrozek, lslebodn, mkosek, mniranja, mzidek, pbrezina, sgoveas, tscherf, wchadwic |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-2.0.0-39.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1654537 | Environment: | |
Last Closed: | 2019-06-13 23:11:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1654537 | ||
Bug Blocks: |
Description
Jakub Hrozek
2018-12-20 10:29:35 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3909 * master: e4469fbdb3d5c53294c6514280ac75b847b3c61c Steeve, can you consider giving qa_ack for this bug? I'm afraid there is no reliable reproducer. The only thing I can think of (and if you need that, I can prepare detailed steps) is to delay the execution of some PAM action by more than 25 seconds with gdb. Jakub, if there is a way to test, then I think it will be good try it. We can automate it as well. Reproducing the issue on RHEL7 sssd ------------------------------------ Versions: sssd-client-1.16.2-13.el7.x86_64 sssd-krb5-common-1.16.2-13.el7.x86_64 sssd-ldap-1.16.2-13.el7.x86_64 sssd-proxy-1.16.2-13.el7.x86_64 sssd-tools-1.16.2-13.el7.x86_64 sssd-libwbclient-1.16.2-13.el7.x86_64 sssd-common-1.16.2-13.el7.x86_64 sssd-common-pac-1.16.2-13.el7.x86_64 sssd-ad-1.16.2-13.el7.x86_64 sssd-krb5-1.16.2-13.el7.x86_64 sssd-1.16.2-13.el7.x86_64 python-sssdconfig-1.16.2-13.el7.noarch sssd-ipa-1.16.2-13.el7.x86_64 sssd-dbus-1.16.2-13.el7.x86_64 sssd-kcm-1.16.2-13.el7.x86_64 sssd-winbind-idmap-1.16.2-13.el7.x86_64 1. Configure /etc/sssd/sssd.conf as below: [root@host-8-243-176 sssd]# cat /etc/sssd/sssd.conf [sssd] domains = EXAMPLE.TEST config_file_version = 2 services = nss, pam, sudo, ifp [domain/EXAMPLE.TEST] enumerate = false id_provider = ldap ldap_uri = ldaps://host-8-243-176.host.centralci.eng.rdu2.redhat.com ldap_search_base = dc=example,dc=test ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem auth_provider = krb5 krb5_server = host-8-243-176.host.centralci.eng.rdu2.redhat.com krb5_kpasswd = host-8-243-176.host.centralci.eng.rdu2.redhat.com krb5_realm = EXAMPLE.TEST debug_level = 9 [nss] debug_level = 9 [pam] debug_level = 9 [secrets] debug_level = 9 [kcm] debug_level = 9 2. Run gdb and attach sssd backend process to put it to sleep. as show below: gdb -p $(pidof sssd_be) -ex "shell sleep 60" -ex detach -ex quit & Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/sssd/libsss_krb5.so...Reading symbols from /usr/lib64/sssd/libsss_krb5.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sssd/libsss_krb5.so Reading symbols from /lib64/libfreeblpriv3.so...Reading symbols from /lib64/libfreeblpriv3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreeblpriv3.so Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /lib64/libnss_sss.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_sss.so.2 [1]+ Stopped gdb -p $(pidof sssd_be) -ex "shell sleep 60" -ex detach -ex quit [root@host-8-243-176 sssd]# id foo0 id: foo0: no such user [root@host-8-243-176 sssd]# id foo0 On RHEL8: Versions: sssd-krb5-common-2.0.0-43.el8.x86_64 sssd-tools-2.0.0-43.el8.x86_64 sssd-dbus-2.0.0-43.el8.x86_64 sssd-2.0.0-43.el8.x86_64 sssd-libwbclient-2.0.0-23.el8.x86_64 sssd-client-2.0.0-43.el8.x86_64 sssd-ipa-2.0.0-43.el8.x86_64 sssd-ldap-2.0.0-43.el8.x86_64 sssd-winbind-idmap-2.0.0-23.el8.x86_64 python3-sssdconfig-2.0.0-43.el8.noarch sssd-common-pac-2.0.0-43.el8.x86_64 sssd-krb5-2.0.0-43.el8.x86_64 sssd-proxy-2.0.0-43.el8.x86_64 sssd-kcm-2.0.0-43.el8.x86_64 sssd-ad-2.0.0-43.el8.x86_64 sssd-nfs-idmap-2.0.0-23.el8.x86_64 sssd-common-2.0.0-43.el8.x86_64 1. Configure sssd.conf as below: [root@foobar1 db]# cat /etc/sssd/sssd.conf [sssd] domains = EXAMPLE.TEST config_file_version = 2 services = nss, pam, sudo, ifp [domain/EXAMPLE.TEST] enumerate = false id_provider = ldap ldap_uri = ldaps://foobar1.example.test ldap_search_base = dc=example,dc=test ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem auth_provider = krb5 krb5_server = foobar1.example.test krb5_kpasswd = foobar1.example.test krb5_realm = EXAMPLE.TEST debug_level = 9 [nss] debug_level = 9 [pam] debug_level = 9 [secrets] debug_level = 9 [kcm] debug_level = 9 [root@foobar1 db]# ps -ef | grep sssd root 3759 1 0 19:48 ? 00:00:00 /usr/sbin/sssd -i --logger=files root 3760 3759 0 19:48 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files root 3761 3759 0 19:48 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain EXAMPLE.TEST --uid 0 --gid 0 --logger=files root 3762 3759 0 19:48 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 3763 3759 0 19:48 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files root 3764 3759 0 19:48 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files root 3765 3759 0 19:48 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files 2. Run gdb and set backend to sleep: gdb -p 3761 -ex "set confirm off" -ex "shell sleep 60" -ex detach -ex quit & Reading symbols from .gnu_debugdata for /usr/lib64/sasl2/libplain.so... warning: Loadable section ".note.gnu.property" outside of ELF segments (no debugging symbols found)...done. (no debugging symbols found)...done. Reading symbols from /usr/lib64/sssd/libsss_krb5.so...Missing separate debuginfo for /usr/lib64/sssd/libsss_krb5.so Try: dnf --enablerepo='*debug*' install /usr/lib/debug/.build-id/e1/507d88594fa7f5d875f41ed7a3cc59104adb0d.debug Reading symbols from .gnu_debugdata for /usr/lib64/sssd/libsss_krb5.so... warning: Loadable section ".note.gnu.property" outside of ELF segments (no debugging symbols found)...done. (no debugging symbols found)...done. 0x00007fcd32de6ceb in epoll_wait () from /lib64/libc.so.6 [root@foobar1 db]# id foo0 Detaching from program: /usr/libexec/sssd/sssd_be, process 3761 [Inferior 1 (process 3761) detached] uid=14583100(foo0) gid=14564100(ldapusers) groups=14564100(ldapusers) [1]+ Done gdb -p 3761 -ex "set confirm off" -ex "shell sleep 60" -ex detach -ex quit |