Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 640601

Summary: sssd is not escaping correctly LDAP searches
Product: Red Hat Enterprise Linux 5 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: benl, jgalipea, kbanerje, loris.santamaria, sgallagh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.5.1-7.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 640597 Environment:
Last Closed: 2011-07-21 08:11:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 640597, 640602    
Bug Blocks:    

Description Dmitri Pal 2010-10-06 12:54:40 UTC 
+++ This bug was initially created as a clone of Bug #640597 +++

Description of problem:

sssd is not escaping correctly LDAP searches, and when it receives an error from the LDAP server is going offline

Version-Release number of selected component (if applicable):

sssd-1.2.1-27.el5

How reproducible:

always

Steps to Reproduce:

I noticed that sssd in some of our servers was going offline with no apparent reason, so bumping up the debug_level I found this in the logs:

(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_get_account_info] (4): Got request for [4097][1][name=hacienda\eladio]
(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Bad search filter
(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_run_offline_cb] (3): Going offline. Running callbacks.

A bit of investigation turned up that the query was initiated by winbind, which was running on the server, so it was a matter of changing the "winbind separator" and restarting winbind and sssd to hide the problem.

Now is evident that this is a bug in SSSD, where it is sufficient that any user queryiing for a username with an '\' in its name to have SSSD going offline.

I reproduced this executing "id hacienda\\eladio"
Comment 2 Kaushik Banerjee 2011-05-26 15:39:55 UTC 
1. Users added on DS:
# usr\5C1, People, example.com
dn: uid=usr\5C1,ou=People,dc=example,dc=com
uidNumber: 90009
gidNumber: 90009
objectClass: top
objectClass: posixAccount
objectClass: person
cn: usr\\1
homeDirectory: /export/usr1
sn: usr\\1
uid: usr\1

# usr\5C1_grp\5C1, Groups, example.com
dn: cn=usr\5C1_grp\5C1,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: posixgroup
memberUid: uid=usr\\1,ou=People,dc=example,dc=com
gidNumber: 90009
cn: usr\1_grp\1

# usr\5C01, People, example.com
dn: uid=usr\5C01,ou=People,dc=example,dc=com
uidNumber: 99009
gidNumber: 99009
objectClass: top
objectClass: posixAccount
objectClass: person
cn: usr\\01
homeDirectory: /export/usr01
sn: usr\\01
uid: usr\01

# usr\5C01_grp\5C01, Groups, example.com
dn: cn=usr\5C01_grp\5C01,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
objectClass: posixgroup
member: uid=usr\5C01,ou=People,dc=example,dc=com
gidNumber: 99009
cn: usr\01_grp\01

# id usr\\1
uid=90009(usr\1) gid=90009(usr\1_grp\1) groups=90009(usr\1_grp\1) context=root:system_r:unconfined_t:SystemLow-SystemHigh

# id -G -n usr\\1
usr\1_grp\1

# id -G -n usr\\01
usr\01_grp\01

# id usr\\01
uid=99009(usr\01) gid=99009(usr\01_grp\01) groups=99009(usr\01_grp\01) context=root:system_r:unconfined_t:SystemLow-SystemHigh

# ssh -l usr\\1 localhost
usr\1@localhost's password: 
Last login: Wed May 25 13:22:24 2011 from localhost.localdomain
Could not chdir to home directory /export/usr1: No such file or directory
-sh-3.2$ id
uid=90009(usr\1) gid=90009(usr\1_grp\1) groups=90009(usr\1_grp\1) context=user_u:system_r:unconfined_t
-sh-3.2$ 


Please note that, authentication issues for users with "\0" is covered in bug 707975
Comment 4 Kaushik Banerjee 2011-05-26 15:41:54 UTC 
Verified in version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 35.el5                        Build Date: Wed 25 May 2011 08:03:59 PM IST
Install Date: Thu 26 May 2011 03:52:52 PM IST      Build Host: x86-008.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-35.el5.src.rpm
Size        : 3486777                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 5 errata-xmlrpc 2011-07-21 08:11:51 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html