Bug 2035625 - sssd AD auth broken with sssd_be segfault
Summary: sssd AD auth broken with sssd_be segfault
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 35
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: sssd-maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-26 04:30 UTC by Scott Dowdle
Modified: 2022-01-04 08:42 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-26 06:31:26 UTC
Type: Bug


Attachments (Terms of Use)

Description Scott Dowdle 2021-12-26 04:30:40 UTC
All of my F35 hosts no longer have working active directory authentication via sssd... and I'm receiving the following segfault error every few seconds:

sssd_be[pid]: segfault at 0 ip 00007f9cfecb00da sp 00007ffd389203e8 error 4 in libc.so.6

In the journal log entries for sssd I see:
sssd_be[2341]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)

Comment 1 Alexander Bokovoy 2021-12-26 05:19:08 UTC
Please see recommendations at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#ensuring-support-for-common-encryption-types-in-ad-and-rhel_connecting-rhel-systems-directly-to-ad-using-sssd

Fedora 35 does not enable RC4 cipher in Kerberos, this means SSSD would attempt to use AES ciphers by default. If your AD users do not have AES keys, then there would be no common encryption type.

It would, however, be good to see the full crash dump and stack trace. May be there is something else at play too.

Could you please enable 'debug_level=9' in the domain section?

Comment 2 Scott Dowdle 2021-12-26 06:31:26 UTC
I used the recommendation from the RHEL8 article that you pointed me to... and that works.  I just didn't expect this behavior having run into the problem as a result of upgrading from F34 (where it was working) to F35.  Sounds like something to have a wiki page about.

Marking as closed.

Comment 3 Alexey Tikhonov 2021-12-27 11:09:49 UTC
Hi,

Could you please still provide a coredump and, ideally, sssd_$domain.log with debug_level=9 that corresponds this crash?

IIRC, sssd_be doesn't operate kerberos credentials so dump shouldn't have it either, but if this worries you please feel free to email me or sssd-maintainers.org directly.

Comment 4 Scott Dowdle 2022-01-04 02:48:56 UTC
Sorry, I don't have any more broken systems to do that stuff.

Comment 5 Alexey Tikhonov 2022-01-04 08:42:19 UTC
Please reopen in case new information available.


Note You need to log in before you can comment on or make changes to this bug.