Bug 996214
Summary: | sssd proxy_child segfault | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paolo Penzo <paolo.penzo> | ||||||||||||
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||||
Priority: | unspecified | ||||||||||||||
Version: | 19 | CC: | abokovoy, falchimarco1979, jhrozek, lslebodn, okos, paolo.penzo, pbrezina, sbose, sgallagh, ssorce | ||||||||||||
Target Milestone: | --- | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | x86_64 | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | sssd-1.11.0-0.2.beta2.fc19 | Doc Type: | Bug Fix | ||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2013-09-12 02:03:04 UTC | Type: | Bug | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Attachments: |
|
Description
Paolo Penzo
2013-08-12 16:43:26 UTC
Are you able to reproduce this crash? We would need more informations to find out why sssd crashed. Can you provide steps to reproduce? Can you provide coredump from crashed process? If you have enabled service abrt corefile will be (should be) stored in directory /var/spool/abrt/ccpp-<date_of_carash>/coredump or /var/tmp/abrt/ccpp-<date_of_carash>/coredump Could you please also post configurations of sssd and the proxy provider (probably nslcd?) Created attachment 786473 [details]
sssd config
Created attachment 786474 [details]
pam proxy service config
Created attachment 786475 [details]
krb5 config
Created attachment 786476 [details]
system-auth-ac
The issue is always reproducible since it is sufficient to configure an ldap domain using a pam proxy to authenticate users. The issue is there also with sssd 1.11.0-0.1.beta2.fc19.x86_64 Configurations for sssd, pam, etc are attached. Created attachment 786479 [details]
compressed coredump
Upstream ticket: https://fedorahosted.org/sssd/ticket/2046 Hello, patch was submitted upstream and are awaiting review. https://lists.fedorahosted.org/pipermail/sssd-devel/2013-August/016059.html Fixed upstream. btw what is the reason for using the proxy provider at all? Could you simply use auth_provider=krb5 ? See man sssd-krb5 for more details. In my organization, all users and groups are defined in an unique ldap server which provides only user and group information and also garantees uid and gid uniqueness whereas user authentication is done via kerberos. User principal are scattered across multiple kerberos realm but the primary part of their principal is unique. i.e. USER1 is defined only in realm REALM1 and so on. Hence since users log in using only the primary part of their krb5 principal, I need the mappings capability of pam_krb5 to silently redirect authentication to the "right" KDC. AFAIK at the moment sssd does not provide such powerfull regex based mapping capability - see comment #5 - so this is why I'm using the proxy auth provider. (In reply to Paolo Penzo from comment #13) > In my organization, all users and groups are defined in an unique ldap > server which provides only user and group information and also garantees uid > and gid uniqueness whereas user authentication is done via kerberos. User > principal are scattered across multiple kerberos realm but the primary part > of their principal is unique. i.e. USER1 is defined only in realm REALM1 and > so on. > Hence since users log in using only the primary part of their krb5 > principal, I need the mappings capability of pam_krb5 to silently redirect > authentication to the "right" KDC. > AFAIK at the moment sssd does not provide such powerfull regex based mapping > capability - see comment #5 - so this is why I'm using the proxy auth > provider. Yes, you're right, this functionality is missing from the sssd Kerberos provider. But I will file an upstream ticket to track this feature request in the sssd, I would like the proxy provider to disappear down the road: https://fedorahosted.org/sssd/ticket/2048 It would be nice and for sure it will ease configurations like mine. However IMHO the complete removal of the auth_proxy feature will also remove some flexibility in sssd config since right now it's possible to have a complete separate PAM stack for each configured domain. (In reply to Paolo Penzo from comment #15) > It would be nice and for sure it will ease configurations like mine. However > IMHO the complete removal of the auth_proxy feature will also remove some > flexibility in sssd config since right now it's possible to have a complete > separate PAM stack for each configured domain. OK, I probably phrased the previous comment wrong. It's unlikely we'll remove the proxy provider completely, but I'd like to minimize the need for it. It's still going to be valid for wrapping completely foreign PAM stacks as you noted. Also, we haven't really commited ourselves to the regex feature yet. Do you plan to release a new version with this patch in next days? (In reply to Paolo Penzo from comment #17) > Do you plan to release a new version with this patch in next days? I'm building the update now. Sorry for the delay, I also wanted to get (new and revised) patches for #967012 and the have been discussed on the upstream devel list still this week. That's fine, thanks! sssd-1.11.0-0.2.beta2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.11.0-0.2.beta2.fc19 Package sssd-1.11.0-0.2.beta2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-0.2.beta2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15215/sssd-1.11.0-0.2.beta2.fc19 then log in and leave karma (feedback). sssd-1.11.0-0.2.beta2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |