Bug 833789

Summary: sssd_nss segfaults when sudo operation is performed.
Product: [Fedora] Fedora Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 08:06:50 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Description Flags
bt full none

Description Gowrishankar Rajaiyan 2012-06-20 07:19:37 EDT
Created attachment 593181 [details]
bt full

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce: (Not sure if this is related, but the case where crash was detected is)

1. # ipa sudorule-show sudorule1 --all --raw
  dn: ipauniqueid=8d023938-bac0-11e1-b429-525400951069,cn=sudorules,cn=sudo,dc=testrelm,dc=com
  cn: sudorule1
  ipaenabledflag: TRUE
  memberhost: cn=hostgrp1,cn=hostgroups,cn=accounts,dc=testrelm,dc=com
  memberuser: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=com
  ipauniqueid: 8d023938-bac0-11e1-b429-525400951069
  objectclass: ipaassociation
  objectclass: ipasudorule

2. # ldapsearch -LLL -Y GSSAPI -b ou=SUDOers,dc=testrelm,dc=com
SASL/GSSAPI authentication started
SASL username: admin@TESTRELM.COM
SASL data security layer installed.
dn: ou=sudoers,dc=testrelm,dc=com
objectClass: extensibleObject
ou: sudoers

dn: cn=sudorule1,ou=sudoers,dc=testrelm,dc=com
objectClass: sudoRole
sudoUser: user1
sudoHost: +hostgrp1
cn: sudorule1

3. [root@dhcp201-207 ~]#  ssh -o StrictHostKeyChecking=no -l user1 dhcp201-207.testrelm.com
user1@dhcp201-207.testrelm.com's password: 
Last login: Wed Jun 20 07:06:09 2012 from dhcp201-207.testrelm.com

4. -sh-4.2$ sudo -l

Actual results:
Jun 20 07:06:17 dhcp201-207 kernel: [1039881.361685] sssd_nss[20374]: segfault at 20 ip 0000003af5e89d8d sp 00007fff523572d8 e
rror 4 in libc-2.15.so[3af5e00000+1ac000]
Jun 20 07:06:17 dhcp201-207 abrtd: Directory 'ccpp-2012-06-20-07:06:17-20374' creation detected
Jun 20 07:06:17 dhcp201-207 abrt[20454]: Saved core dump of pid 20374 (/usr/libexec/sssd/sssd_nss) to /var/spool/abrt/ccpp-201
2-06-20-07:06:17-20374 (1142784 bytes)
Jun 20 07:06:17 dhcp201-207 sssd[nss]: Starting up

Expected results: No crash detected.

Additional info:

relevant sssd.conf:

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dhcp201-207.testrelm.com
chpass_provider = ipa
ipa_server = dhcp201-207.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
services = nss, pam, ssh
config_file_version = 2

domains = testrelm.com

sudo debug:
-sh-4.2$ sudo -l
LDAP Config Summary
uri              ldap://dhcp201-207.testrelm.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=testrelm,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm,dc=com
bindpw           bind123
bind_timelimit   5
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
sudo: ldap_initialize(ld, ldap://dhcp201-207.testrelm.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in ou=SUDOers,dc=testrelm,dc=com
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=testrelm,dc=com'
sudo: adding search result
sudo: ldap sudoHost '+hostgrp1' ... not
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=testrelm,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x42
[sudo] password for user1:
Comment 1 Stephen Gallagher 2012-06-20 08:01:45 EDT
Upstream ticket:
Comment 2 Stephen Gallagher 2012-06-20 08:06:50 EDT
Closing as an UPSTREAM bug. This was reported against an unreleased upstream nightly build. It belongs in the upstream bug tracker, not Fedora.