Bug 771702

Summary: sssd_pam crashes during change password operation against a IPA server.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: grajaiya, jgalipea, jhrozek, ksiddiqu, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.8.0-2.el6.beta2 Doc Type: Bug Fix
Doc Text:
Cause: In cases the SSSD was operating on offline mode and Kerberos password was requested with a configuration that also uses the KDC server for changing passwords, the SSSD was issuing the password change requests in an infinite loop Consequence: The sssd_be process was looping infinitely and occasionally even crashing Fix: The sssd_be process was fixed to not call the password changing request when offline Result: When a password change operation is requested while the SSSD is offline, the operations exits gracefully.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:51:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2012-01-04 17:03:08 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.5.1-66.el6_2.1.x86_64.rpm

How reproducible:
100%

Steps to Reproduce:
1. Make sure "allow_all" hbacrule is enabled.
2. Create an IPA user.
3. From client do "ssh -l shanks SERVER.hostname"
4. Enter password, and change password requested.
5. Enter and re-enter new password.
  
Actual results:
Re-enter new password prompt hangs. sssd_pam crash detected in /var/log/messages.

Expected results:
Password changed successfully with no crash detected.

Additional info:

relevant ipa server sssd.conf:
[domain/lab.eng.pnq.redhat.com]
timeout = 30000
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = bumblebee.lab.eng.pnq.redhat.com
chpass_provider = ipa
ipa_server = bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

relevant client sssd.conf:
[domain/LDAP-KRB5]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://bumblebee.lab.eng.pnq.redhat.com
ldap_search_base = cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
auth_provider = krb5
krb5_server = bumblebee.lab.eng.pnq.redhat.com
krb5_realm = LAB.ENG.PNQ.REDHAT.COM
krb5_lifetime = 120
krb5_renew_interval = 10
krb5_renewable_lifetime = 300


# gdb --core=/var/spool/abrt/ccpp-2012-01-03-05\:36\:27-23164/coredump /usr/libexec/sssd/sssd_pam --quiet -ex "thread apply all bt full" -ex "quit"
Reading symbols from /usr/libexec/sssd/sssd_pam...Reading symbols from /usr/lib/debug/usr/libexec/sssd/sssd_pam.debug...done.
done.
[New Thread 23164]
Missing separate debuginfo for 
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/0a/c87124da6b3667e15d65262886e136d5682803
Reading symbols from /usr/lib64/libtevent.so.0.9.8...Reading symbols from /usr/lib/debug/usr/lib64/libtevent.so.0.9.8.debug...done.
done.
Loaded symbols for /usr/lib64/libtevent.so.0.9.8
Reading symbols from /usr/lib64/libtalloc.so.2.0.1...Reading symbols from /usr/lib/debug/usr/lib64/libtalloc.so.2.0.1.debug...done.
done.
Loaded symbols for /usr/lib64/libtalloc.so.2.0.1
Reading symbols from /lib64/libpopt.so.0.0.0...Reading symbols from /usr/lib/debug/lib64/libpopt.so.0.0.0.debug...done.
done.
Loaded symbols for /lib64/libpopt.so.0.0.0
Reading symbols from /usr/lib64/libldb.so.0.9.10...Reading symbols from /usr/lib/debug/usr/lib64/libldb.so.0.9.10.debug...done.
done.
Loaded symbols for /usr/lib64/libldb.so.0.9.10
Reading symbols from /lib64/libdbus-1.so.3.4.0...Reading symbols from /usr/lib/debug/lib64/libdbus-1.so.3.4.0.debug...done.
done.
Loaded symbols for /lib64/libdbus-1.so.3.4.0
Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/librt.so.1
Reading symbols from /lib64/libpcre.so.0.0.1...Reading symbols from /usr/lib/debug/lib64/libpcre.so.0.0.1.debug...done.
done.
Loaded symbols for /lib64/libpcre.so.0.0.1
Reading symbols from /usr/lib64/libini_config.so.2.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libini_config.so.2.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libini_config.so.2.0.0
Reading symbols from /usr/lib64/libcollection.so.2.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libcollection.so.2.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libcollection.so.2.0.0
Reading symbols from /usr/lib64/libdhash.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libdhash.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libdhash.so.1.0.0
Reading symbols from /lib64/liblber-2.4.so.2.5.6...Reading symbols from /usr/lib/debug/lib64/liblber-2.4.so.2.5.6.debug...done.
done.
Loaded symbols for /lib64/liblber-2.4.so.2.5.6
Reading symbols from /lib64/libldap-2.4.so.2.5.6...Reading symbols from /usr/lib/debug/lib64/libldap-2.4.so.2.5.6.debug...done.
done.
Loaded symbols for /lib64/libldap-2.4.so.2.5.6
Reading symbols from /usr/lib64/libtdb.so.1.2.1...Reading symbols from /usr/lib/debug/usr/lib64/libtdb.so.1.2.1.debug...done.
done.
Loaded symbols for /usr/lib64/libtdb.so.1.2.1
Reading symbols from /usr/lib64/libssl3.so...
warning: the debug information found in "/usr/lib/debug//usr/lib64/libssl3.so.debug" does not match "/usr/lib64/libssl3.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib64/libssl3.so.debug" does not match "/usr/lib64/libssl3.so" (CRC mismatch).

(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libssl3.so
Reading symbols from /usr/lib64/libsmime3.so...
warning: the debug information found in "/usr/lib/debug//usr/lib64/libsmime3.so.debug" does not match "/usr/lib64/libsmime3.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib64/libsmime3.so.debug" does not match "/usr/lib64/libsmime3.so" (CRC mismatch).

(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsmime3.so
Reading symbols from /usr/lib64/libnss3.so...
warning: the debug information found in "/usr/lib/debug//usr/lib64/libnss3.so.debug" does not match "/usr/lib64/libnss3.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib64/libnss3.so.debug" does not match "/usr/lib64/libnss3.so" (CRC mismatch).

(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libnss3.so
Reading symbols from /usr/lib64/libnssutil3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnssutil3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libnssutil3.so
Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/lib64/libplds4.so.debug...done.
done.
Loaded symbols for /lib64/libplds4.so
Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/lib64/libplc4.so.debug...done.
done.
Loaded symbols for /lib64/libplc4.so
Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/lib64/libnspr4.so.debug...done.
done.
Loaded symbols for /lib64/libnspr4.so
Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /usr/lib64/libunistring.so.0.1.2...Reading symbols from /usr/lib/debug/usr/lib64/libunistring.so.0.1.2.debug...done.
done.
Loaded symbols for /usr/lib64/libunistring.so.0.1.2
Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib64/libpath_utils.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libpath_utils.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libpath_utils.so.1.0.0
Reading symbols from /usr/lib64/libref_array.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libref_array.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libref_array.so.1.0.0
Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /usr/lib64/libsasl2.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/libsasl2.so.2.0.23
Reading symbols from /lib64/libz.so.1.2.3...Reading symbols from /usr/lib/debug/lib64/libz.so.1.2.3.debug...done.
done.
Loaded symbols for /lib64/libz.so.1.2.3
Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /lib64/libfreebl3.so...Reading symbols from /usr/lib/debug/lib64/libfreebl3.so.debug...done.
done.
Loaded symbols for /lib64/libfreebl3.so
Reading symbols from /usr/lib64/ldb/memberof.so...Reading symbols from /usr/lib/debug/usr/lib64/ldb/memberof.so.debug...done.
done.
Loaded symbols for /usr/lib64/ldb/memberof.so
Core was generated by `/usr/libexec/sssd/sssd_pam -d 0 --debug-to-files'.
Program terminated with signal 6, Aborted.
#0  0x0000003e37a32885 in raise () from /lib64/libc.so.6

Thread 1 (Thread 0x7f3a64d23700 (LWP 23164)):
#0  0x0000003e37a32885 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000003e37a34065 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x0000003e39e2a975 in _dbus_abort () at dbus-sysdeps.c:88
        s = <value optimized out>
#3  0x0000003e39e26845 in _dbus_warn_check_failed (
    format=0x3e39e339e0 "arguments to %s() were incorrect, assertion \"%s\" failed in file %s line %d.\nThis is normally a bug in some application using the D-Bus library.\n") at dbus-internals.c:283
        args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff654e8990, reg_save_area = 0x7fff654e88c0}}
#4  0x0000003e39e10471 in dbus_connection_send_with_reply (connection=0x0, message=0x1d59750, pending_return=0x7fff654e89d8, 
    timeout_milliseconds=150000) at dbus-connection.c:3226
        pending = <value optimized out>
        serial = -1
        status = <value optimized out>
        __FUNCTION__ = "dbus_connection_send_with_reply"
#5  0x0000000000423144 in sbus_conn_send (conn=<value optimized out>, msg=<value optimized out>, timeout_ms=<value optimized out>, 
    reply_handler=0x430c60 <sss_dp_send_acct_callback>, pvt=0x1d6bd80, pending=0x7fff654e8ad8) at src/sbus/sssd_dbus_connection.c:711
        pending_reply = <value optimized out>
        dbus_conn = <value optimized out>
        dbret = <value optimized out>
        __FUNCTION__ = "sbus_conn_send"
#6  0x000000000043088d in sss_dp_send_acct_req_create (rctx=0x1d54830, callback_memctx=0x1d5c0e0, 
    callback=0x409cc0 <pam_check_user_dp_callback>, callback_ctx=0x1d5c0e0, timeout=150000, domain=0x1d530e0 "lab.eng.pnq.redhat.com", 
    fast_reply=false, type=3, opt_name=0x1d63d40 "shanks", opt_id=0) at src/responder/common/responder_dp.c:493
        msg = 0x1d59750
        dbret = <value optimized out>
        ret = <value optimized out>
        pending_reply = <value optimized out>
        cb = <value optimized out>
        sdp_req = 0x1d6bd80
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6.x86_64 nss-3.12.10-16.el6.x86_64
---Type <return> to continue, or q <return> to quit---
        attrs = 1
        be_conn = 0x1d58180
#7  sss_dp_send_acct_req (rctx=0x1d54830, callback_memctx=0x1d5c0e0, callback=0x409cc0 <pam_check_user_dp_callback>, 
    callback_ctx=0x1d5c0e0, timeout=150000, domain=0x1d530e0 "lab.eng.pnq.redhat.com", fast_reply=false, type=3, 
    opt_name=0x1d63d40 "shanks", opt_id=0) at src/responder/common/responder_dp.c:385
        ret = <value optimized out>
        hret = <value optimized out>
        be_type = <value optimized out>
        filter = 0x1d6c110 "name=shanks"
        key = {type = HASH_KEY_STRING, {str = 0x1d55810 "3shanks.pnq.redhat.com", ul = 30758928}}
        value = {type = 1699646224, {ptr = 0x3e37a722f5, i = 933700341, ui = 933700341, l = 267221672693, ul = 267221672693, 
            f = 1.99242295e-05, d = 1.3202504830184524e-312}}
        tmp_ctx = 0x1d652d0
        tv = {tv_sec = 206158430248, tv_usec = 140734893034448}
        sdp_req = 0x0
        cb = <value optimized out>
        __FUNCTION__ = "sss_dp_send_acct_req"
#8  0x0000000000408093 in pam_check_user_search (preq=0x1d5c0e0) at src/responder/pam/pamsrv_cmd.c:902
        dom = 0x1d54da0
        cctx = <value optimized out>
        name = 0x1d63d40 "shanks"
        sysdb = 0x1d55810
        cacheExpire = <value optimized out>
        ret = <value optimized out>
        __FUNCTION__ = "pam_check_user_search"
#9  0x000000000040a8f1 in pam_forwarder (cctx=<value optimized out>, pam_cmd=<value optimized out>) at src/responder/pam/pamsrv_cmd.c:796
        dom = 0x1d54da0
        preq = 0x1d5c0e0
        pd = 0x1d5bd20
        body = 0x1d6f770 "IPAM\001"
        blen = 124
        ret = <value optimized out>
        ncret = <value optimized out>
        terminator = 1229996365
        __FUNCTION__ = "pam_forwarder"
#10 0x000000000040b641 in pam_cmd_authenticate (cctx=0x1d5ba50) at src/responder/pam/pamsrv_cmd.c:1003
---Type <return> to continue, or q <return> to quit---
        __FUNCTION__ = "pam_cmd_authenticate"
#11 0x000000000042d950 in client_recv (ev=<value optimized out>, fde=<value optimized out>, flags=1, ptr=<value optimized out>)
    at src/responder/common/responder_common.c:183
        ret = <value optimized out>
#12 client_fd_handler (ev=<value optimized out>, fde=<value optimized out>, flags=1, ptr=<value optimized out>)
    at src/responder/common/responder_common.c:221
        cctx = 0x1d5ba50
#13 0x0000003e3d605456 in epoll_event_loop (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:309
        fde = <value optimized out>
        flags = <value optimized out>
        ret = 1
        i = <value optimized out>
        events = {{events = 1, data = {ptr = 0x1d6ad00, fd = 30846208, u32 = 30846208, u64 = 30846208}}}
        timeout = <value optimized out>
#14 std_event_loop_once (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:544
        std_ev = 0x1d513e0
        tval = {tv_sec = 0, tv_usec = 34450}
#15 0x0000003e3d6026d0 in _tevent_loop_once (ev=0x1d51320, location=0x439595 "src/util/server.c:526") at tevent.c:490
        ret = <value optimized out>
        nesting_stack_ptr = 0x0
#16 0x0000003e3d60273b in tevent_common_loop_wait (ev=0x1d51320, location=0x439595 "src/util/server.c:526") at tevent.c:591
        ret = <value optimized out>
#17 0x0000000000427921 in server_loop (main_ctx=0x1d52420) at src/util/server.c:526
No locals.
#18 0x0000000000407aa0 in main (argc=<value optimized out>, argv=<value optimized out>) at src/responder/pam/pamsrv.c:230
        opt = <value optimized out>
        pc = <value optimized out>
        main_ctx = 0x1d52420
        ret = <value optimized out>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x6408a0, val = 0, descrip = 0x433242 "Help options:", 
            argDescrip = 0x0}, {longName = 0x433250 "debug-level", shortName = 100 'd', argInfo = 2, arg = 0x640998, val = 0, 
            descrip = 0x433221 "Debug level", argDescrip = 0x0}, {longName = 0x43325c "debug-to-files", shortName = 102 'f', argInfo = 0, 
            arg = 0x64099c, val = 0, descrip = 0x433388 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {
            longName = 0x43326b "debug-timestamps", shortName = 0 '\000', argInfo = 2, arg = 0x640860, val = 0, 
            descrip = 0x43322d "Add debug timestamps", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, 
            val = 0, descrip = 0x0, argDescrip = 0x0}}
---Type <return> to continue, or q <return> to quit---
        __FUNCTION__ = "main"
Comment 2 Jakub Hrozek 2012-01-04 21:01:58 UTC 
I admit I haven't reproduced the crash but I saw a bug here - in the case Shanks tested, the ipa_kpasswd process returned that KDC was down. Because SSSD tried to create an expired TGT even when offline, it called the child agan, the child failed, sent sssd offline, sssd called the child again..etc.
Comment 3 Jakub Hrozek 2012-01-04 21:04:04 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1131
Comment 6 Jakub Hrozek 2012-04-03 18:06:05 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: In cases the SSSD was operating on offline mode and Kerberos password was requested with a configuration that also uses the KDC server for changing passwords, the SSSD was issuing the password change requests in an infinite loop

Consequence: The sssd_be process was looping infinitely and occasionally even crashing

Fix: The sssd_be process was fixed to not call the password changing request when offline

Result: When a password change operation is requested while the SSSD is offline, the operations exits gracefully.
Comment 7 Kaleem 2012-05-07 13:02:21 UTC 
Verified.

Now following message is displayed when sssd is working in offline mode and password change is requested.

"System is offline, password change not possible"

sssd-version:
=============
[root@ipa63server ~]# rpm -q sssd
sssd-1.8.0-25.el6.x86_64
[root@ipa63server ~]#

console output:
===============
[root@ipa63client2 ~]# ssh -l tuser1 ipa63server.testrelm.com
tuser1.com's password: 
Last login: Mon May  7 18:24:45 2012 from ipa63client2.testrelm.com
-sh-4.1$ passwd
Changing password for user tuser1.
Current Password: 
System is offline, password change not possible
passwd: Authentication token manipulation error
-sh-4.1$
Comment 9 errata-xmlrpc 2012-06-20 11:51:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html