RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1314877 - Segfault during ipa client install for 7.2 client with 6.8 IPA Server
Summary: Segfault during ipa client install for 7.2 client with 6.8 IPA Server
Keywords:
Status: CLOSED DUPLICATE of bug 1311559
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: Kaleem
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-04 18:06 UTC by Kaleem
Modified: 2016-03-08 12:20 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Enrolling a Red Hat Enterprise Linux 7.2 IdM client with a Red Hat Enterprise Linux 6.8 server fails A segmentation fault prevents an Identity Management (IdM) client based on Red Hat Enterprise Linux 7.2 to be successfully enrolled with an IdM server running Red Hat Enterprise Linux 6.8. The segmentation fault occurs after the user runs the ipa-client-install utility and causes the client installation process to fail. No workaround is currently available.
Clone Of:
Environment:
Last Closed: 2016-03-08 12:20:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
mail text received for segfault seen (52.55 KB, text/plain)
2016-03-04 18:06 UTC, Kaleem 		no flags Details
View All

Description Kaleem 2016-03-04 18:06:05 UTC 
Created attachment 1133230 [details]
mail text received for segfault seen

Description of problem:

This segfault observed when we tried to install a 7.2.update2 IPA client to 6.8 IPA server.

Version-Release number of selected component (if applicable):
6.8 IPA:
========
[root@auto-hv-02-guest02 ~]# rpm -q ipa-server
ipa-server-3.0.0-50.el6.x86_64
[root@auto-hv-02-guest02 ~]# 

7.2 IPA:
========
[root@hp-dl380pgen8-02-vm-8 ~]# rpm -q ipa-client
ipa-client-4.2.0-15.el7_2.6.x86_64
[root@hp-dl380pgen8-02-vm-8 ~]# 

How reproducible:
Always

Steps to Reproduce:
1. Install 7.2 IPA client with 6.8 IPA Server.

Actual results:
Segfault seen during ipa-join and client install fails.

Expected results:
No segfault and client install should be successful.


Additional info:
(1) Please find the attached segfault info
Comment 1 Petr Vobornik 2016-03-04 18:13:59 UTC 
Kaleem what is the version of nss?

I wonder if it is bug 1312449
Comment 2 Kaleem 2016-03-04 18:15:13 UTC 
[root@hp-dl380pgen8-02-vm-8 ~]# rpm -q nss
nss-3.21.0-1.el7_2.x86_64
[root@hp-dl380pgen8-02-vm-8 ~]#
Comment 8 Christian Heimes 2016-03-07 14:20:56 UTC 
Kai, can you have a look? Petr thinks this looks like BZ #1312449. The segfault occurs in ssl3_InitHandshakeHashes(). The system has nss-3.21.0-1.el7_2.x86_64.
Comment 10 Christian Heimes 2016-03-07 15:51:24 UTC 
I'm getting a segfault for TLS/SSL handshake in libldap and NSS:

(gdb) run /usr/sbin/ipa-client-install
Starting program: /usr/bin/python /usr/sbin/ipa-client-install
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Detaching after fork from child process 583.
Detaching after fork from child process 585.
Detaching after fork from child process 586.
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Using existing certificate '/etc/ipa/ca.crt'.

Program received signal SIGSEGV, Segmentation fault.
0x00007fffeb57d5ff in ssl3_InitHandshakeHashes () from /lib64/libssl3.so

(gdb) bt
#0  0x00007fffeb57d5ff in ssl3_InitHandshakeHashes () from /lib64/libssl3.so
#1  0x00007fffeb588292 in ssl3_HandleHandshakeMessage () from /lib64/libssl3.so
#2  0x00007fffeb58b091 in ssl3_HandleRecord () from /lib64/libssl3.so
#3  0x00007fffeb58c4e2 in ssl3_GatherCompleteHandshake () from /lib64/libssl3.so
#4  0x00007fffeb58d2c5 in ssl_GatherRecord1stHandshake () from /lib64/libssl3.so
#5  0x00007fffeb595a65 in ssl_Do1stHandshake () from /lib64/libssl3.so
#6  0x00007fffeb596067 in SSL_ForceHandshake () from /lib64/libssl3.so
#7  0x00007fffe98d39d6 in tlsm_session_accept_or_connect () from /lib64/libldap_r-2.4.so.2
#8  0x00007fffe98cfd35 in ldap_int_tls_connect.isra.2 () from /lib64/libldap_r-2.4.so.2
#9  0x00007fffe98d05b8 in ldap_int_tls_start () from /lib64/libldap_r-2.4.so.2
#10 0x00007fffe98d09b1 in ldap_start_tls_s () from /lib64/libldap_r-2.4.so.2
#11 0x00007fffe9af61ff in l_ldap_start_tls_s (self=0x15d6648, args=<optimized out>) at Modules/LDAPObject.c:1164
#12 0x00007ffff7af6702 in ext_do_call (nk=<optimized out>, na=<optimized out>, flags=<optimized out>, pp_stack=0x7fffffffcc20, 
    func=<built-in method start_tls_s of LDAP object at remote 0x15d6648>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4408
#13 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x163f660, for file /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 99, in _ldap_call (self=<SimpleLDAPObject(_ldap_object_lock=<LDAPLock(_lock=<thread.lock at remote 0x15d71f0>, _desc='opcall within <ldap.ldapobject.SimpleLDAPObject instance at 0x15eb758>') at remote 0x15ebab8>, _l=<LDAP at remote 0x15d6648>, _trace_stack_limit=None, timeout=-1, _uri='ldap://auto-hv-02-guest02.testrelm.test:389', _trace_file=<file at remote 0x7ffff7fc4150>, _trace_level=0) at remote 0x15eb758>, func=<built-in method start_tls_s of LDAP object at remote 0x15d6648>, args=(), kwargs={}, diagnostic_message_success=None), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2779
#14 0x00007ffff7af71ed in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=locals@entry=0x0, args=<optimized out>, argcount=argcount@entry=2, 
    kws=0x1642ad0, kwcount=0, defs=0x0, defcount=0, closure=closure@entry=0x0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330
#15 0x00007ffff7af589f in fast_function (nk=<optimized out>, na=2, n=2, pp_stack=0x7fffffffce20, func=<function at remote 0xc7a398>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4194
#16 call_function (oparg=<optimized out>, pp_stack=0x7fffffffce20) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#17 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x1642940, for file /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 564, in start_tls_s (self=<SimpleLDAPObject(_ldap_object_lock=<LDAPLock(_lock=<thread.lock at remote 0x15d71f0>, _desc='opcall within <ldap.ldapobject.SimpleLDAPObject instance at 0x15eb758>') at remote 0x15ebab8>, _l=<LDAP at remote 0x15d6648>, _trace_stack_limit=None, timeout=-1, _uri='ldap://auto-hv-02-guest02.testrelm.test:389', _trace_file=<file at remote 0x7ffff7fc4150>, _trace_level=0) at remote 0x15eb758>), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#18 0x00007ffff7af5990 in fast_function (nk=<optimized out>, na=1, n=1, pp_stack=0x7fffffffcf80, func=<function at remote 0xc7b9b0>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184
#19 call_function (oparg=<optimized out>, pp_stack=0x7fffffffcf80) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#20 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x1636880, for file /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1571, in __init__ (self=<IPAdmin(_schema=None, cacert='/etc/ipa/ca.crt', warning=<instancemethod at remote 0x1296af0>, port=389, _conn=<SimpleLDAPObject(_ldap_object_lock=<LDAPLock(_lock=<thread.lock at remote 0x15d71f0>, _desc='opcall within <ldap.ldapobject.SimpleLDAPObject instance at 0x15eb758>') at remote 0x15ebab8>, _l=<LDAP at remote 0x15d6648>, _trace_stack_limit=None, timeout=-1, _uri='ldap://auto-hv-02-guest02.testrelm.test:389', _trace_file=<file at remote 0x7ffff7fc4150>, _trace_level=0) at remote 0x15eb758>, realm=None, __log_manager=<IPALogManager(loggers={'ipa.ipaplatform.base.tasks': <Logger(name='ipa.ipaplatform.base.tasks', parent=<Logger(name='ipa', parent=<RootLogger(name='root', parent=None, handlers=[], level=30, disabled=0, propagate=1, filters=[]) at remote 0xa1be90>, handlers=[<FileHandler(stream=<file at remote 0x156cae0>, level=10, lock=<_RLock(_Verbose__verbose=False, _RLock__owner=None, _RLock__b...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740


I've tcpdumped port 389 and analyzed the traffic with wireshark. The client does a proper START TLS and requests TLSv1.2. The server replies with a TLSv1.2 ServerHello, Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f). The connection breaks down after ServerHelloDone.
Comment 11 Kai Engert (:kaie) (inactive account) 2016-03-08 11:44:44 UTC 
This was a known broken build, which I believe, was never shipped to customers.


Please tell me, 

(a) from where did you get nss-3.21.0-1.el7_2 ?

(b) does downgrading to nss-3.19.1-19.el7_2 fixes the bug for you ?

If (b) fixes it for you, then this is a duplicate of bug 1311559
Note You need to log in before you can comment on or make changes to this bug.