Bug 640602

Summary: sssd is not escaping correctly LDAP searches
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: benl, grajaiya, jgalipea, loris, sgallagh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.5.0-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 640597 Environment:
Last Closed: 2011-05-19 11:41:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 640597    
Bug Blocks: 640601    

Description Dmitri Pal 2010-10-06 12:55:44 UTC
+++ This bug was initially created as a clone of Bug #640597 +++

Description of problem:

sssd is not escaping correctly LDAP searches, and when it receives an error from the LDAP server is going offline

Version-Release number of selected component (if applicable):

sssd-1.2.1-27.el5

How reproducible:

always

Steps to Reproduce:

I noticed that sssd in some of our servers was going offline with no apparent reason, so bumping up the debug_level I found this in the logs:

(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_get_account_info] (4): Got request for [4097][1][name=hacienda\eladio]
(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Bad search filter
(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_run_offline_cb] (3): Going offline. Running callbacks.

A bit of investigation turned up that the query was initiated by winbind, which was running on the server, so it was a matter of changing the "winbind separator" and restarting winbind and sssd to hide the problem.

Now is evident that this is a bug in SSSD, where it is sufficient that any user queryiing for a username with an '\' in its name to have SSSD going offline.

I reproduced this executing "id hacienda\\eladio"

Comment 2 Gowrishankar Rajaiyan 2011-04-07 12:10:04 UTC
On server:
# user\5Ca, People, example.com
dn: uid=user\5Ca,ou=People,dc=example,dc=com
uidNumber: 29201
gidNumber: 29201
objectClass: top
objectClass: posixAccount
objectClass: inetuser
cn: user\5Ca
homeDirectory: /home/usera
loginShell: /bin/bash
uid: user\a
userPassword:: U2VjcmV0MTIz

# group\5Ca, Groups, example.com
dn: cn=group\5Ca,ou=Groups,dc=example,dc=com
gidNumber: 29201
objectClass: top
objectClass: posixGroup
memberUid: uid=user\5Ca,ou=People,dc=example,dc=com
cn: group\a

# user\5C001, People, example.com
dn: uid=user\5C001,ou=People,dc=example,dc=com
uidNumber: 29204
gidNumber: 29204
objectClass: top
objectClass: posixAccount
objectClass: inetuser
cn: user001
homeDirectory: /home/user001
loginShell: /bin/bash
uid: user\001
userPassword:: U2VjcmV0MTIz

# group\5C001, Groups, example.com
dn: cn=group\5C001,ou=Groups,dc=example,dc=com
gidNumber: 29204
objectClass: top
objectClass: posixGroup
memberUid: uid=user\5C001,ou=People,dc=example,dc=com
cn: group\001

On Client:
[domain/default]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.redhat.com:636
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
cache_credentials = true
enumerate = false
debug_level = 9

# id user\\a
uid=29201(user\a) gid=29201(group\a) groups=29201(group\a)

# id -G -n user\\a
group\a

# id user\\001
uid=29204(user\001) gid=29204(group\001) groups=29204(group\001)

# id -G -n user\\001
group\001

# ssh -l user\\a localhost
user\a@localhost's password: 
Creating directory '/home/usera'.
Last login: Thu Apr  7 15:35:18 2011 from localhost
[user\a@rhel6-1 ~]$ id
uid=29201(user\a) gid=29201(group\a) groups=29201(group\a) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 4 Gowrishankar Rajaiyan 2011-04-07 12:14:26 UTC
Verified.

# rpm -qi sssd
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 24.el6                        Build Date: Sat 02 Apr 2011 01:24:54 AM IST
Install Date: Tue 05 Apr 2011 11:11:29 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-24.el6.src.rpm
Size        : 3462740                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 5 errata-xmlrpc 2011-05-19 11:41:32 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Comment 6 errata-xmlrpc 2011-05-19 13:08:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html