1091957 – sssd_be crashes when ad_domain=junk and adding host/fqdn upn

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1091957 - sssd_be crashes when ad_domain=junk and adding host/fqdn upn

Summary: sssd_be crashes when ad_domain=junk and adding host/fqdn upn

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-28 11:36 UTC by Kaushik Banerjee
Modified:	2020-05-02 17:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sssd-1.12.0-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:27:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sssd_be crash backtrace (4.55 KB, text/plain) 2014-04-28 11:36 UTC, Kaushik Banerjee	no flags	Details
backport patch from sssd ticket#2311 (708 bytes, patch) 2014-07-15 19:25 UTC, David Mansfield	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3353	0	None	None	None	2020-05-02 17:41:40 UTC
Red Hat Product Errata	RHBA-2015:0441	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2015-03-05 15:05:27 UTC

Internal Links: 2087581

Description Kaushik Banerjee 2014-04-28 11:36:31 UTC

Created attachment 890445 [details]
sssd_be crash backtrace

Description of problem:
sssd_be crashes when ad_domain=junk and adding host/fqdn upn

Version-Release number of selected component (if applicable):
1.11.2-65.el7

How reproducible:
Always

Steps to Reproduce:
1. Join to the AD using:
realm join --user-principal=host/fqdn

2. Configure sssd.conf domain section as:
[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ad
ad_domain = junk
ad_server=<adserver>

3. klist list the entries in the order:
host/<client fqdn>@<AD REALM>
host/<client shorthost>@<AD REALM>
<CLIENT SHORT HOST>$@<AD REALM>

4. Restart sssd with clean cache

5. getent passwd <user on ad server>

Actual results:
sssd_be crashes. See backtrace

Expected results:


Additional info:

Comment 2 Jakub Hrozek 2014-04-28 12:20:49 UTC

Interesting, was this a real AD or a Samba server? The code that crashes was so far only hit when using a Samba server as the crash occurs when the 'forest' attribute can't be read..

Comment 3 Jakub Hrozek 2014-04-28 12:25:14 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2311

Comment 4 Kaushik Banerjee 2014-04-28 12:27:43 UTC

(In reply to Jakub Hrozek from comment #2)
> Interesting, was this a real AD or a Samba server? The code that crashes was
> so far only hit when using a Samba server as the crash occurs when the
> 'forest' attribute can't be read..

Real AD

Comment 5 Jakub Hrozek 2014-04-28 12:38:07 UTC

OK, we might want to backport the fix for #2311 to RHEL, it's been in upstream 1.11 for some time already.

Comment 6 RHEL Program Management 2014-05-08 05:47:16 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 8 David Mansfield 2014-07-14 18:57:25 UTC

Please backport this patch!  I've manually done it myself and rebuilt the SRPM and confirmed it to fix the problem.

Comment 9 Jakub Hrozek 2014-07-15 07:42:03 UTC

(In reply to David Mansfield from comment #8)
> Please backport this patch!  I've manually done it myself and rebuilt the
> SRPM and confirmed it to fix the problem.

Which version you'd like the rebase to?

We're rebasing to 1.11.6 in RHEL-6.6, the version we're rebasing to will contain this fix.

Comment 10 Jakub Hrozek 2014-07-15 07:45:47 UTC

(In reply to Jakub Hrozek from comment #9)
> (In reply to David Mansfield from comment #8)
> > Please backport this patch!  I've manually done it myself and rebuilt the
> > SRPM and confirmed it to fix the problem.
> 
> Which version you'd like the rebase to?

Sorry, I meant to say "backport" not "rebase".

Comment 11 David Mansfield 2014-07-15 19:25:49 UTC

Created attachment 918235 [details]
backport patch from sssd ticket#2311

This bug is about rhel 7 version.  When you say you're backporting to 1.11.6 for rhel-6.6 does this also apply to rhel 7?

Not quite sure here.  

What I did was apply the attached patch on top of the SRPM for sssd, rebuild and update.  Problem solved for me (although there may ALSO be an selinux issue to work out - I'll keep you informed).

Comment 12 Jakub Hrozek 2014-07-16 07:24:45 UTC

(In reply to David Mansfield from comment #11)
> Created attachment 918235 [details]
> backport patch from sssd ticket#2311
> 
> This bug is about rhel 7 version.  When you say you're backporting to 1.11.6
> for rhel-6.6 does this also apply to rhel 7?
> 
> Not quite sure here.  
> 

Ah, sorry, I understand now. Here is a hopefully less confusing answer:
 * This bug hits RHEL-7.0. The fix is not in the 7.0 packages, currently it's planned for 7.1. If you'd like the fix for RHEL-7 released sooner than the 7.1 timeframe, I'd suggest to raise a support case with Red Hat and ask for a hotfix.
 * We are rebasing SSSD to 1.11.x in RHEL-6, but the tarball we are rebasing to already contains the fix

> What I did was apply the attached patch on top of the SRPM for sssd, rebuild
> and update.  Problem solved for me (although there may ALSO be an selinux
> issue to work out - I'll keep you informed).

Thank you for the testing, don't hesitate to bring up any issues you may find.

Comment 13 David Mansfield 2014-07-17 13:12:59 UTC

Well, it seems there is nothing with selinux after all. The attached patch does fix all of my problems.  I do strongly top that, if possible, a "hotfix" (by which you mean a new release of the package) is done eventually.

After all, the bug in question was backported in, so to say, by RH. Version 1.11.2 doesn't have this bug, but the patch:

0120-AD-connect-to-forest-root-when-downloading-the-list-.patch

In the SRPM introduces the flaw.

Anyway, either you'll do it or I'll have to distribute an in-house fixed SRPM if we ever get to deploying RHEL 7.

Comment 14 Lukas Slebodnik 2014-07-17 14:25:34 UTC

(In reply to David Mansfield from comment #13)
> Anyway, either you'll do it or I'll have to distribute an in-house fixed
> SRPM if we ever get to deploying RHEL 7.
If you want to have this fix in RHEL7.0 I will suggest to raise a support case with Red Hat and ask for a hotfix.

Comment 15 Jakub Hrozek 2014-07-18 06:53:19 UTC

(In reply to David Mansfield from comment #13)
> Well, it seems there is nothing with selinux after all. The attached patch
> does fix all of my problems.  I do strongly top that, if possible, a
> "hotfix" (by which you mean a new release of the package) is done eventually.
> 

Right now, the fix is scheduled for 7.1. I'm sorry, but I can't release a new version in RHEL asynchronously without an approved bugzilla backed by a support request.

Please raise this issue with your Red Hat support representative, feel free to ping me with the support case number so I can chime in.

Comment 17 Kaushik Banerjee 2014-12-03 11:15:44 UTC

Verified in version 1.12.2-28.el7

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_domain_002: bz1091957 ad_domain=junk and first entry in keytab is valid
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: File '/var/log/sssd/sssd_SSSDAD2012.log' should contain 'No principal matching IDM-QE-01$@JUNK' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_SSSDAD2012.log' should contain 'No principal matching host/\*@JUNK found in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_SSSDAD2012.log' should contain 'Selected realm: SSSDAD2012.COM' 
:: [   PASS   ] :: Command 'getent passwd $AD_SERVER1_SHORT_REALM\\testuser01-${JOBID}' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/messages' should not contain 'segfault' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ad_domain_002: bz1091957 ad_domain=junk and first entry in keytab is valid

Comment 18 David Mansfield 2014-12-08 22:50:09 UTC

Is there any public location for downloading this version of sssd or the SRPM? (version 1.12.2-28.el7).

Comment 19 Jakub Hrozek 2014-12-09 08:34:33 UTC

(In reply to David Mansfield from comment #18)
> Is there any public location for downloading this version of sssd or the
> SRPM? (version 1.12.2-28.el7).

This repo is two releases behind (-26) but should work for the purpose of reproducing this particular bug:
https://copr.fedoraproject.org/coprs/mkosek/freeipa/

Comment 21 errata-xmlrpc 2015-03-05 10:27:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html

Note You need to log in before you can comment on or make changes to this bug.