575187 – SSSD pollutes log with error messages

Bug 575187 - SSSD pollutes log with error messages

Summary: SSSD pollutes log with error messages

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Stephen Gallagher
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-19 17:14 UTC by Eugene Indenbom
Modified:	2010-06-01 18:13 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.2.0-12.fc13
Clone Of:
Environment:
Last Closed:	2010-06-01 18:13:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eugene Indenbom 2010-03-19 17:14:25 UTC

Description of problem:
When using LDAP connection with kerberos encryption SSSD pollutes system log with 2 messages every 10 minutes.

The messages are as follows:
Mar 18 16:54:29 node-1 sssd_be: GSSAPI Error: The referenced context has expired (Unknown error)

Version-Release number of selected component (if applicable): 1.0.5


How reproducible:

Steps to Reproduce:
1. Configure SSSD domain with LDAP id provider and kerberos authentication and encryption
2. Look into event log
  
Actual results:
2 error messages every 10 minutes appeared.

Expected results:
No error messages are expected.


Additional info:
SSSD functions normally. The messages are produced by sasl_callback set predefined SASL_CB_LOG.

An error happens during kerberos packet encryption after kerberos ticket is expired.

The error is handled by SSSD later on, but message gets added to system log.

There 2 side problems here:
1. Why ticket is acquired for only 5 minutes?
2. Why reconnect happens only after error, not in advance?

It makes sense in case of kerberos encryption to acquire ticket for longer period (say 24h) and reconnect in advance before ticket expiry, avoiding error message and processing delay.

The workaround for this problem is to use SSL encryption instead of kerberos.

Comment 1 Fedora Admin XMLRPC Client 2010-04-28 14:48:58 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 2 Fedora Update System 2010-05-18 18:34:01 UTC

sssd-1.1.92-11.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/sssd-1.1.92-11.fc13

Comment 3 Fedora Update System 2010-05-19 19:14:58 UTC

sssd-1.1.92-11.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/sssd-1.1.92-11.fc13

Comment 4 Fedora Update System 2010-05-27 18:28:56 UTC

sssd-1.2.0-12.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/sssd-1.2.0-12.fc13

Comment 5 Fedora Update System 2010-06-01 18:12:57 UTC

sssd-1.2.0-12.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.