Hide Forgot
+++ This bug was initially created as a clone of Bug #1043546 +++ Description of problem: Investigation of the Bug 1041732 showed there are two separate crashes. This is a tracking bug for the crash that occurs in slapi-nis (first crash in the original bug). Version-Release number of selected component (if applicable): slapi-nis-0.50-1.fc20.x86_64 How reproducible: always Steps to Reproduce: 1. Install IPA server on F20 2. Install IPA AD trust support See the Bug 1041732 for attached stacktrace, core dump and other additional information. Particularly note https://bugzilla.redhat.com/show_bug.cgi?id=1041732#c6 --- Additional comment from Fedora Update System on 2013-12-16 14:11:11 EST --- slapi-nis-0.52-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/slapi-nis-0.52-1.fc20 --- Additional comment from Fedora Update System on 2013-12-16 14:11:24 EST --- slapi-nis-0.52-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/slapi-nis-0.52-1.fc18 --- Additional comment from Fedora Update System on 2013-12-16 14:11:36 EST --- slapi-nis-0.52-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/slapi-nis-0.52-1.fc19
Just checking, isn't this Bug only applicable to the updated RHEL-7.0 slapi-nis?
We only started triggering it on some systems while doing ipa-adtrust-install, but the bug in slapi-nis that it hit has been there since the very first release.
Please add steps to verify
I don't think we've seen the described crash on EL6, though that may be up to differences in how the memcpy() implementation being used differs between the releases. Actually, I'm not reproducing it on updated EL7, either. The triggering scenario involved adding and then removing a single map, where the bug being hit during its removal would corrupt an internal array such that the plugin's subsequent attempts to manipulate its data would... go badly . An attempt to force this would probably involve adding many maps to the plugin's configuration and then removing them in the order in which they'd been added. This test, however, isn't doing much more than chewing up connections on my EL6 box: #!/bin/bash managerpw=supersecretsecret base=`grep ^basedn= /etc/ipa/default.conf | cut -f2- -d=` domain=`grep ^domain= /etc/ipa/default.conf | cut -f2- -d=` count=1025 for map in `seq $count`; do ldapadd -h localhost -x -D "cn=directory manager" -w "$managerpw" <<- EOF dn: nis-map=map$map+nis-domain=sub.example.com,cn=NIS Server,cn=plugins,cn=config objectclass: extensibleObject nis-map: map$map nis-domain: sub.example.com nis-base: cn=accounts,$base nis-filter: objectclass=* nis-keys-format: %{entrydn} nis-values-format: %{modifyTimestamp} nis-secure: no EOF done for map in `seq $count`; do for maps in `seq $map 32 $count`; do ypcat -k -h localhost -d sub.example.com "map$maps" > /dev/null done ldapdelete -h localhost -x -D "cn=directory manager" -w "$managerpw" "nis-map=map$map+nis-domain=sub.example.com,cn=NIS Server,cn=plugins,cn=config" done This may end up having to be a sanity-only bug.
Unable to reproduce this error on either RHEL6.5 or RHEL6.6. I'm marking this one verified sanityonly. Verified. Version :: slapi-nis-0.40-6.el6.x86_64 Results :: [root@rhel6-1 ~]# ipa-adtrust-install --netbios-name=$IPA_NETBIOS -a Secret123 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/18]: stopping smbd [2/18]: creating samba domain object [3/18]: creating samba config registry [4/18]: writing samba config file [5/18]: adding cifs Kerberos principal [6/18]: adding cifs principal to S4U2Proxy targets [7/18]: adding admin(group) SIDs [8/18]: adding RID bases [9/18]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [10/18]: activating CLDAP plugin [11/18]: activating sidgen plugin and task [12/18]: activating extdom plugin [13/18]: configuring smbd to start on boot [14/18]: adding special DNS service records [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [16/18]: adding fallback group [17/18]: setting SELinux booleans [18/18]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [root@rhel6-1 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ADTRUST Service: RUNNING EXTID Service: RUNNING [root@rhel6-1 ~]# grep -i segfault /var/log/ipaserver-install.log [root@rhel6-1 ~]# grep -i segfaul /var/log/messages [root@rhel6-1 ~]# [root@rhel6-1 ~]# echo Secret123 | ipa-compat-manage enable Plugin already Enabled [root@rhel6-1 ~]# echo Secret123| ipa-nis-manage enable Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. [root@rhel6-1 ~]# service rpcbind restart Stopping rpcbind: [ OK ] Starting rpcbind: [ OK ] [root@rhel6-1 ~]# service dirsrv restart Shutting down dirsrv: IPA1-EXAMPLE-TEST... [ OK ] PKI-IPA... [ OK ] Starting dirsrv: IPA1-EXAMPLE-TEST... [ OK ] PKI-IPA... [ OK ] [root@rhel6-1 ~]# vi bz1 [root@rhel6-1 ~]# sh bz1 > bz.out 2>&1 [root@rhel6-1 ~]# abrt-cli list [root@rhel6-1 ~]# grep -i segfault /var/log/ipaserver-install.log [root@rhel6-1 ~]# grep -i segfaul /var/log/messages [root@rhel6-1 ~]# cat bz1 #!/bin/bash managerpw=Secret123 base=`grep ^basedn= /etc/ipa/default.conf | cut -f2- -d=` domain=`grep ^domain= /etc/ipa/default.conf | cut -f2- -d=` count=1025 for map in `seq $count`; do ldapadd -h localhost -x -D "cn=directory manager" -w "$managerpw" <<-EOF dn: nis-map=map$map+nis-domain=ipa1.example.test,cn=NIS Server,cn=plugins,cn=config objectclass: extensibleObject nis-map: map$map nis-domain: ipa1.example.test nis-base: cn=accounts,$base nis-filter: objectclass=* nis-keys-format: %{entrydn} nis-values-format: %{modifyTimestamp} nis-secure: no EOF done for map in `seq $count`; do for maps in `seq $map 32 $count`; do ypcat -k -h localhost -d ipa1.example.test "map$maps" > /dev/null done ldapdelete -h localhost -x -D "cn=directory manager" -w "$managerpw" "nis-map=map$map+nis-domain=ipa1.example.test,cn=NIS Server,cn=plugins,cn=config" done