Bug 1091957
| Summary: | sssd_be crashes when ad_domain=junk and adding host/fqdn upn | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Kaushik Banerjee <kbanerje> | ||||||
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.0 | CC: | bugzilla, grajaiya, jgalipea, lslebodn, mkosek, pbrezina, preichl | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | sssd-1.12.0-1.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-03-05 10:27:54 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Interesting, was this a real AD or a Samba server? The code that crashes was so far only hit when using a Samba server as the crash occurs when the 'forest' attribute can't be read.. Upstream ticket: https://fedorahosted.org/sssd/ticket/2311 (In reply to Jakub Hrozek from comment #2) > Interesting, was this a real AD or a Samba server? The code that crashes was > so far only hit when using a Samba server as the crash occurs when the > 'forest' attribute can't be read.. Real AD OK, we might want to backport the fix for #2311 to RHEL, it's been in upstream 1.11 for some time already. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Please backport this patch! I've manually done it myself and rebuilt the SRPM and confirmed it to fix the problem. (In reply to David Mansfield from comment #8) > Please backport this patch! I've manually done it myself and rebuilt the > SRPM and confirmed it to fix the problem. Which version you'd like the rebase to? We're rebasing to 1.11.6 in RHEL-6.6, the version we're rebasing to will contain this fix. (In reply to Jakub Hrozek from comment #9) > (In reply to David Mansfield from comment #8) > > Please backport this patch! I've manually done it myself and rebuilt the > > SRPM and confirmed it to fix the problem. > > Which version you'd like the rebase to? Sorry, I meant to say "backport" not "rebase". Created attachment 918235 [details]
backport patch from sssd ticket#2311
This bug is about rhel 7 version. When you say you're backporting to 1.11.6 for rhel-6.6 does this also apply to rhel 7?
Not quite sure here.
What I did was apply the attached patch on top of the SRPM for sssd, rebuild and update. Problem solved for me (although there may ALSO be an selinux issue to work out - I'll keep you informed).
(In reply to David Mansfield from comment #11) > Created attachment 918235 [details] > backport patch from sssd ticket#2311 > > This bug is about rhel 7 version. When you say you're backporting to 1.11.6 > for rhel-6.6 does this also apply to rhel 7? > > Not quite sure here. > Ah, sorry, I understand now. Here is a hopefully less confusing answer: * This bug hits RHEL-7.0. The fix is not in the 7.0 packages, currently it's planned for 7.1. If you'd like the fix for RHEL-7 released sooner than the 7.1 timeframe, I'd suggest to raise a support case with Red Hat and ask for a hotfix. * We are rebasing SSSD to 1.11.x in RHEL-6, but the tarball we are rebasing to already contains the fix > What I did was apply the attached patch on top of the SRPM for sssd, rebuild > and update. Problem solved for me (although there may ALSO be an selinux > issue to work out - I'll keep you informed). Thank you for the testing, don't hesitate to bring up any issues you may find. Well, it seems there is nothing with selinux after all. The attached patch does fix all of my problems. I do strongly top that, if possible, a "hotfix" (by which you mean a new release of the package) is done eventually. After all, the bug in question was backported in, so to say, by RH. Version 1.11.2 doesn't have this bug, but the patch: 0120-AD-connect-to-forest-root-when-downloading-the-list-.patch In the SRPM introduces the flaw. Anyway, either you'll do it or I'll have to distribute an in-house fixed SRPM if we ever get to deploying RHEL 7. (In reply to David Mansfield from comment #13) > Anyway, either you'll do it or I'll have to distribute an in-house fixed > SRPM if we ever get to deploying RHEL 7. If you want to have this fix in RHEL7.0 I will suggest to raise a support case with Red Hat and ask for a hotfix. (In reply to David Mansfield from comment #13) > Well, it seems there is nothing with selinux after all. The attached patch > does fix all of my problems. I do strongly top that, if possible, a > "hotfix" (by which you mean a new release of the package) is done eventually. > Right now, the fix is scheduled for 7.1. I'm sorry, but I can't release a new version in RHEL asynchronously without an approved bugzilla backed by a support request. Please raise this issue with your Red Hat support representative, feel free to ping me with the support case number so I can chime in. Verified in version 1.12.2-28.el7 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_domain_002: bz1091957 ad_domain=junk and first entry in keytab is valid :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: File '/var/log/sssd/sssd_SSSDAD2012.log' should contain 'No principal matching IDM-QE-01$@JUNK' :: [ PASS ] :: File '/var/log/sssd/sssd_SSSDAD2012.log' should contain 'No principal matching host/\*@JUNK found in keytab' :: [ PASS ] :: File '/var/log/sssd/sssd_SSSDAD2012.log' should contain 'Selected realm: SSSDAD2012.COM' :: [ PASS ] :: Command 'getent passwd $AD_SERVER1_SHORT_REALM\\testuser01-${JOBID}' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/messages' should not contain 'segfault' :: [ LOG ] :: Duration: 12s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ad_domain_002: bz1091957 ad_domain=junk and first entry in keytab is valid Is there any public location for downloading this version of sssd or the SRPM? (version 1.12.2-28.el7). (In reply to David Mansfield from comment #18) > Is there any public location for downloading this version of sssd or the > SRPM? (version 1.12.2-28.el7). This repo is two releases behind (-26) but should work for the purpose of reproducing this particular bug: https://copr.fedoraproject.org/coprs/mkosek/freeipa/ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html |
Created attachment 890445 [details] sssd_be crash backtrace Description of problem: sssd_be crashes when ad_domain=junk and adding host/fqdn upn Version-Release number of selected component (if applicable): 1.11.2-65.el7 How reproducible: Always Steps to Reproduce: 1. Join to the AD using: realm join --user-principal=host/fqdn 2. Configure sssd.conf domain section as: [domain/ADTEST] debug_level = 0xFFF0 id_provider = ad ad_domain = junk ad_server=<adserver> 3. klist list the entries in the order: host/<client fqdn>@<AD REALM> host/<client shorthost>@<AD REALM> <CLIENT SHORT HOST>$@<AD REALM> 4. Restart sssd with clean cache 5. getent passwd <user on ad server> Actual results: sssd_be crashes. See backtrace Expected results: Additional info: