Bug 575187 - SSSD pollutes log with error messages
SSSD pollutes log with error messages
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-19 13:14 EDT by Eugene Indenbom
Modified: 2010-06-01 14:13 EDT (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.2.0-12.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-01 14:13:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Indenbom 2010-03-19 13:14:25 EDT
Description of problem:
When using LDAP connection with kerberos encryption SSSD pollutes system log with 2 messages every 10 minutes.

The messages are as follows:
Mar 18 16:54:29 node-1 sssd_be: GSSAPI Error: The referenced context has expired (Unknown error)

Version-Release number of selected component (if applicable): 1.0.5


How reproducible:

Steps to Reproduce:
1. Configure SSSD domain with LDAP id provider and kerberos authentication and encryption
2. Look into event log
  
Actual results:
2 error messages every 10 minutes appeared.

Expected results:
No error messages are expected.


Additional info:
SSSD functions normally. The messages are produced by sasl_callback set predefined SASL_CB_LOG.

An error happens during kerberos packet encryption after kerberos ticket is expired.

The error is handled by SSSD later on, but message gets added to system log.

There 2 side problems here:
1. Why ticket is acquired for only 5 minutes?
2. Why reconnect happens only after error, not in advance?

It makes sense in case of kerberos encryption to acquire ticket for longer period (say 24h) and reconnect in advance before ticket expiry, avoiding error message and processing delay.

The workaround for this problem is to use SSL encryption instead of kerberos.
Comment 1 Fedora Admin XMLRPC Client 2010-04-28 10:48:58 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Fedora Update System 2010-05-18 14:34:01 EDT
sssd-1.1.92-11.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/sssd-1.1.92-11.fc13
Comment 3 Fedora Update System 2010-05-19 15:14:58 EDT
sssd-1.1.92-11.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/sssd-1.1.92-11.fc13
Comment 4 Fedora Update System 2010-05-27 14:28:56 EDT
sssd-1.2.0-12.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/sssd-1.2.0-12.fc13
Comment 5 Fedora Update System 2010-06-01 14:12:57 EDT
sssd-1.2.0-12.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.