+++ This bug was initially created as a clone of Bug #640597 +++ Description of problem: sssd is not escaping correctly LDAP searches, and when it receives an error from the LDAP server is going offline Version-Release number of selected component (if applicable): sssd-1.2.1-27.el5 How reproducible: always Steps to Reproduce: I noticed that sssd in some of our servers was going offline with no apparent reason, so bumping up the debug_level I found this in the logs: (Wed Oct 6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_get_account_info] (4): Got request for [4097][1][name=hacienda\eladio] (Wed Oct 6 07:27:09 2010) [sssd[be[ALMACARONI]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Bad search filter (Wed Oct 6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_run_offline_cb] (3): Going offline. Running callbacks. A bit of investigation turned up that the query was initiated by winbind, which was running on the server, so it was a matter of changing the "winbind separator" and restarting winbind and sssd to hide the problem. Now is evident that this is a bug in SSSD, where it is sufficient that any user queryiing for a username with an '\' in its name to have SSSD going offline. I reproduced this executing "id hacienda\\eladio"
1. Users added on DS: # usr\5C1, People, example.com dn: uid=usr\5C1,ou=People,dc=example,dc=com uidNumber: 90009 gidNumber: 90009 objectClass: top objectClass: posixAccount objectClass: person cn: usr\\1 homeDirectory: /export/usr1 sn: usr\\1 uid: usr\1 # usr\5C1_grp\5C1, Groups, example.com dn: cn=usr\5C1_grp\5C1,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixgroup memberUid: uid=usr\\1,ou=People,dc=example,dc=com gidNumber: 90009 cn: usr\1_grp\1 # usr\5C01, People, example.com dn: uid=usr\5C01,ou=People,dc=example,dc=com uidNumber: 99009 gidNumber: 99009 objectClass: top objectClass: posixAccount objectClass: person cn: usr\\01 homeDirectory: /export/usr01 sn: usr\\01 uid: usr\01 # usr\5C01_grp\5C01, Groups, example.com dn: cn=usr\5C01_grp\5C01,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfNames objectClass: posixgroup member: uid=usr\5C01,ou=People,dc=example,dc=com gidNumber: 99009 cn: usr\01_grp\01 # id usr\\1 uid=90009(usr\1) gid=90009(usr\1_grp\1) groups=90009(usr\1_grp\1) context=root:system_r:unconfined_t:SystemLow-SystemHigh # id -G -n usr\\1 usr\1_grp\1 # id -G -n usr\\01 usr\01_grp\01 # id usr\\01 uid=99009(usr\01) gid=99009(usr\01_grp\01) groups=99009(usr\01_grp\01) context=root:system_r:unconfined_t:SystemLow-SystemHigh # ssh -l usr\\1 localhost usr\1@localhost's password: Last login: Wed May 25 13:22:24 2011 from localhost.localdomain Could not chdir to home directory /export/usr1: No such file or directory -sh-3.2$ id uid=90009(usr\1) gid=90009(usr\1_grp\1) groups=90009(usr\1_grp\1) context=user_u:system_r:unconfined_t -sh-3.2$ Please note that, authentication issues for users with "\0" is covered in bug 707975
Verified in version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 35.el5 Build Date: Wed 25 May 2011 08:03:59 PM IST Install Date: Thu 26 May 2011 03:52:52 PM IST Build Host: x86-008.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-35.el5.src.rpm Size : 3486777 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0975.html