Bug 575187

Summary: SSSD pollutes log with error messages
Product: [Fedora] Fedora Reporter: Eugene Indenbom <eindenbom>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.2.0-12.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-01 18:13:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eugene Indenbom 2010-03-19 17:14:25 UTC 
Description of problem:
When using LDAP connection with kerberos encryption SSSD pollutes system log with 2 messages every 10 minutes.

The messages are as follows:
Mar 18 16:54:29 node-1 sssd_be: GSSAPI Error: The referenced context has expired (Unknown error)

Version-Release number of selected component (if applicable): 1.0.5


How reproducible:

Steps to Reproduce:
1. Configure SSSD domain with LDAP id provider and kerberos authentication and encryption
2. Look into event log
  
Actual results:
2 error messages every 10 minutes appeared.

Expected results:
No error messages are expected.


Additional info:
SSSD functions normally. The messages are produced by sasl_callback set predefined SASL_CB_LOG.

An error happens during kerberos packet encryption after kerberos ticket is expired.

The error is handled by SSSD later on, but message gets added to system log.

There 2 side problems here:
1. Why ticket is acquired for only 5 minutes?
2. Why reconnect happens only after error, not in advance?

It makes sense in case of kerberos encryption to acquire ticket for longer period (say 24h) and reconnect in advance before ticket expiry, avoiding error message and processing delay.

The workaround for this problem is to use SSL encryption instead of kerberos.
Comment 1 Fedora Admin XMLRPC Client 2010-04-28 14:48:58 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Fedora Update System 2010-05-18 18:34:01 UTC 
sssd-1.1.92-11.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/sssd-1.1.92-11.fc13
Comment 3 Fedora Update System 2010-05-19 19:14:58 UTC 
sssd-1.1.92-11.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/sssd-1.1.92-11.fc13
Comment 4 Fedora Update System 2010-05-27 18:28:56 UTC 
sssd-1.2.0-12.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/sssd-1.2.0-12.fc13
Comment 5 Fedora Update System 2010-06-01 18:12:57 UTC 
sssd-1.2.0-12.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.