Bug 814269

Summary: sssd-1.5.1-66.el6_2.3.x86_64 freezes
Product: Red Hat Enterprise Linux 6 Reporter: Taunus <codezilla>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2CC: andias, cory.meyer, grajaiya, jgalipea, kbanerje, prc
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.8.0-22.el6 Doc Type: Bug Fix
Doc Text:
Cause: The openldap client libraries (used by SSSD) do not time out properly if communication with an LDAP server would DROP packets instead of REJECTing them. Consequence: SSSD would hang and never respond to requests. Fix: SSSD added a timer to ensure that connections are given up on after a reasonable time. Result: SSSD no longer hangs, unresponsive if the LDAP server is not responding.
Story Points: ---
Clone Of:
: 1291709 (view as bug list) Environment:
Last Closed: 2012-06-20 11:56:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1291709    

Description Taunus 2012-04-19 13:51:36 UTC
Description of problem:
sssd waits too long for feedback from ipa if IP packages are dropped.

Version-Release number of selected component (if applicable):
sssd-1.5.1-66

How reproducible:
drop packages to ipa

Steps to Reproduce:
1. drop packages to ipa
2. restart sssd
3. query for some user
  
Actual results:
about 20 sec wait

Expected results:
reply from couple seconds of query

Additional info:
sssd takes too much time looking if ipa is available or not.

To reproduce:

# Test 1
# Add "Deny IPA access" rule, no reply from network to sssd
iptables -I OUTPUT -d ipa.ip.address -j DROP
iptables -I OUTPUT -d ipa2.ip.address -j DROP

# drop existing connections
service sssd restart

# query for (nonexistent) user
id sdfgsd

# wait for about 20secs...
#
# Finish testing, remove the rules
iptables -D OUTPUT -d ipa.ip.address -j DROP
iptables -D OUTPUT -d ipa2.ip.address -j DROP
exit

# Test 2
# Compare the above to this. Firewall sends reject back to sssd
#
# Add "Reject IPA access with icmp" rule
iptables -I OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited
iptables -I OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited

# drop existing connections
service sssd restart

# query for (nonexistent) user
id shsgfgh

# No need to wait for very long
#
# Finish testing, remove the rules
iptables -D OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited
iptables -D OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited

If you look at the connections packages dropped with netstat when waiting you see that the sssd_be is waiting for reply from ipaserver and tcp status is SYN_SENT.

This can happen in situations when firewall drops the packages or you have network connection but cannot reach ipa for some other reason.

I think it is the same thing is here:
https://bugzilla.redhat.com/show_bug.cgi?id=634592

Sometimes sssd goes into loop just checking for the ipa server continuously. Then the systems is pretty much stuck for minutes.



cat /etc/sssd/sssd.conf

[sssd]
# debug_level = 5

services = nss, pam
config_file_version = 2

domains = sub.domain.com
[nss]

[pam]

[domain/sub.domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = sub.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hostname.sub.domain.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.sub.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt

Comment 2 Stephen Gallagher 2012-04-20 12:38:03 UTC
This was fixed upstream as commit https://fedorahosted.org/sssd/changeset/5bf2314b9f64099cd4e88b8f3498d986d97e1ac6/ included in SSSD 1.7.0 and 1.8.0.

Comment 3 Taunus 2012-04-20 14:05:46 UTC
Do you know when the fixed version will be available on rhel?

Comment 4 Stephen Gallagher 2012-04-20 14:30:53 UTC
(In reply to comment #3)
> Do you know when the fixed version will be available on rhel?

It will be fixed in RHEL 6.3, the beta of which should be released fairly soon.

Comment 7 Taunus 2012-04-25 07:17:29 UTC
Just downloaded sssd rhel beta packages. The beta package version is sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6.

Comment 8 Stephen Gallagher 2012-04-25 11:17:02 UTC
(In reply to comment #7)
> Just downloaded sssd rhel beta packages. The beta package version is
> sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6.

Yes, sorry. Apparently the RHEL beta shipped with -22. This is fixed and ready for the final release. If you contact your support rep, they may be able to provide you with the newer build.

Comment 9 Stephen Gallagher 2012-04-25 11:18:17 UTC
Actually, I correct that. It looks like the package version is incorrect above. It should already be fixed in -22 (I need to read more carefully).

Correcting the FixedIn version.

Comment 10 Taunus 2012-04-25 11:27:43 UTC
Ok, I've tested the new packages a bit and
sssd-1.8.0-22.el6 works much better than the sssd-1.5.1-66

Comment 11 Kaushik Banerjee 2012-04-25 14:34:03 UTC
Verified with version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.8.0                             Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Fri 20 Apr 2012 11:30:39 PM IST
Install Date: Wed 25 Apr 2012 07:28:48 PM IST      Build Host: x86-003.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.8.0-23.el6.src.rpm
Size        : 7874744                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon



Verification steps ( The delay is of 6 seconds now):

# iptables -I OUTPUT -d ipaserver.example.com -j DROP
# date;id kau1;date
Fri Apr 20 16:15:14 IST 2012
id: kau1: No such user
Fri Apr 20 16:15:20 IST 2012

Comment 12 Stephen Gallagher 2012-06-12 13:55:43 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The openldap client libraries (used by SSSD) do not time out properly if communication with an LDAP server would DROP packets instead of REJECTing them.

Consequence: SSSD would hang and never respond to requests.

Fix: SSSD added a timer to ensure that connections are given up on after a reasonable time.

Result: SSSD no longer hangs, unresponsive if the LDAP server is not responding.

Comment 14 errata-xmlrpc 2012-06-20 11:56:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html

Comment 15 Antonio Dias 2015-08-04 12:37:32 UTC
Is this bug going to be fixed for RHEL5 sssd packages?