Bug 683255

Summary: sudo/ldap lookup via sssd gets stuck for 5min waiting on netgroup
Product: Red Hat Enterprise Linux 6 Reporter: Guil Barros <gbarros>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: benl, dpal, grajaiya, jgalipea, kbanerje, pbatkowski, prc, sbose
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.5.1-14.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 683260 (view as bug list) Environment:
Last Closed: 2011-05-19 11:40:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 683260    
Attachments:
Description Flags
sssd log file none

Description Guil Barros 2011-03-08 22:30:17 UTC 
Created attachment 483050 [details]
sssd log file

Description of problem:
sssd seems to get stuck on certain netgroups when doing a lookup for sudo.


Version-Release number of selected component (if applicable):
sssd-1.5.1-11

How reproducible:
every time

Steps to Reproduce:
unknown
  
Actual results:
sudo takes 5min to return

Expected results:
sudo returns immediately

Additional Info:
strace snippet:
11:33:24 write(4, "%\0\0\0a\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
11:33:24 poll([{fd=4, events=POLLOUT}], 1, 300000) = 1 ([{fd=4, revents=POLLOUT}])
11:33:24 write(4, "fg_5400_prod_support\0", 21) = 21
11:33:24 poll([{fd=4, events=POLLIN}], 1, 300000) = 0 (Timeout)
11:38:24 close(4)                       = 0
11:38:24 socket(PF_FILE, SOCK_STREAM, 0) = 4
11:38:24 fcntl(4, F_GETFL)              = 0x2 (flags O_RDWR)
11:38:24 fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
11:38:24 fcntl(4, F_GETFD)              = 0
11:38:24 fcntl(4, F_SETFD, FD_CLOEXEC)  = 0
11:38:24 connect(4, {sa_family=AF_FILE, path="/var/lib/sss/pipes/nss"}, 110) = 0
Comment 1 Sumit Bose 2011-03-09 09:41:09 UTC 
Upstream ticket https://fedorahosted.org/sssd/ticket/819
Comment 3 Kaushik Banerjee 2011-03-29 08:49:08 UTC 
To reproduce this issue, put '(test)' into the description attribute of a netgroup entry and add 'ldap_netgroup_triple = description' to sssd.conf

sssd.conf domain section:
[domain/LDAP]
debug_level = 9
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://<ldap server hostname>
ldap_search_base = dc=example,dc=com
ldap_netgroup_triple = description


In version 1.5.1-12:
The first 'getent netgroup broken_netgroup' returns nothing and the next call does not return at all for a very long time.

In version 1.5.1-21:
'getent netgroup broken_netgroup' returns nothing on every enumeration and exits back to the shell immediately.

Version verified in:
rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 21.el6                        Build Date: Mon 28 Mar 2011 09:24:56 PM IST
Install Date: Mon 28 Mar 2011 11:37:09 PM IST      Build Host: x86-007.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-21.el6.src.rpm
Size        : 3462613                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2011-05-19 11:40:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 5 errata-xmlrpc 2011-05-19 13:09:54 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html