Bug 2035625

Summary: sssd AD auth broken with sssd_be segfault
Product: [Fedora] Fedora Reporter: Scott Dowdle <dowdle>
Component: sssdAssignee: sssd-maintainers <sssd-maintainers>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 35CC: abokovoy, atikhono, jhrozek, lslebodn, luk.claes, mzidek, pbrezina, sbose, ssorce, sssd-maintainers
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-26 06:31:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Scott Dowdle 2021-12-26 04:30:40 UTC
All of my F35 hosts no longer have working active directory authentication via sssd... and I'm receiving the following segfault error every few seconds:

sssd_be[pid]: segfault at 0 ip 00007f9cfecb00da sp 00007ffd389203e8 error 4 in libc.so.6

In the journal log entries for sssd I see:
sssd_be[2341]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)

Comment 1 Alexander Bokovoy 2021-12-26 05:19:08 UTC
Please see recommendations at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#ensuring-support-for-common-encryption-types-in-ad-and-rhel_connecting-rhel-systems-directly-to-ad-using-sssd

Fedora 35 does not enable RC4 cipher in Kerberos, this means SSSD would attempt to use AES ciphers by default. If your AD users do not have AES keys, then there would be no common encryption type.

It would, however, be good to see the full crash dump and stack trace. May be there is something else at play too.

Could you please enable 'debug_level=9' in the domain section?

Comment 2 Scott Dowdle 2021-12-26 06:31:26 UTC
I used the recommendation from the RHEL8 article that you pointed me to... and that works.  I just didn't expect this behavior having run into the problem as a result of upgrading from F34 (where it was working) to F35.  Sounds like something to have a wiki page about.

Marking as closed.

Comment 3 Alexey Tikhonov 2021-12-27 11:09:49 UTC
Hi,

Could you please still provide a coredump and, ideally, sssd_$domain.log with debug_level=9 that corresponds this crash?

IIRC, sssd_be doesn't operate kerberos credentials so dump shouldn't have it either, but if this worries you please feel free to email me or sssd-maintainers.org directly.

Comment 4 Scott Dowdle 2022-01-04 02:48:56 UTC
Sorry, I don't have any more broken systems to do that stuff.

Comment 5 Alexey Tikhonov 2022-01-04 08:42:19 UTC
Please reopen in case new information available.