771702 – sssd_pam crashes during change password operation against a IPA server.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 771702 - sssd_pam crashes during change password operation against a IPA server.

Summary: sssd_pam crashes during change password operation against a IPA server.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-04 17:03 UTC by Gowrishankar Rajaiyan
Modified:	2020-05-02 16:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.8.0-2.el6.beta2
Doc Type:	Bug Fix
Doc Text:	Cause: In cases the SSSD was operating on offline mode and Kerberos password was requested with a configuration that also uses the KDC server for changing passwords, the SSSD was issuing the password change requests in an infinite loop Consequence: The sssd_be process was looping infinitely and occasionally even crashing Fix: The sssd_be process was fixed to not call the password changing request when offline Result: When a password change operation is requested while the SSSD is offline, the operations exits gracefully.
Clone Of:
Environment:
Last Closed:	2012-06-20 11:51:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2173	0	None	None	None	2020-05-02 16:42:23 UTC
Red Hat Product Errata	RHBA-2012:0747	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2012-06-19 19:31:43 UTC

Description Gowrishankar Rajaiyan 2012-01-04 17:03:08 UTC

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.5.1-66.el6_2.1.x86_64.rpm

How reproducible:
100%

Steps to Reproduce:
1. Make sure "allow_all" hbacrule is enabled.
2. Create an IPA user.
3. From client do "ssh -l shanks SERVER.hostname"
4. Enter password, and change password requested.
5. Enter and re-enter new password.
  
Actual results:
Re-enter new password prompt hangs. sssd_pam crash detected in /var/log/messages.

Expected results:
Password changed successfully with no crash detected.

Additional info:

relevant ipa server sssd.conf:
[domain/lab.eng.pnq.redhat.com]
timeout = 30000
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = bumblebee.lab.eng.pnq.redhat.com
chpass_provider = ipa
ipa_server = bumblebee.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

relevant client sssd.conf:
[domain/LDAP-KRB5]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://bumblebee.lab.eng.pnq.redhat.com
ldap_search_base = cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
auth_provider = krb5
krb5_server = bumblebee.lab.eng.pnq.redhat.com
krb5_realm = LAB.ENG.PNQ.REDHAT.COM
krb5_lifetime = 120
krb5_renew_interval = 10
krb5_renewable_lifetime = 300


# gdb --core=/var/spool/abrt/ccpp-2012-01-03-05\:36\:27-23164/coredump /usr/libexec/sssd/sssd_pam --quiet -ex "thread apply all bt full" -ex "quit"
Reading symbols from /usr/libexec/sssd/sssd_pam...Reading symbols from /usr/lib/debug/usr/libexec/sssd/sssd_pam.debug...done.
done.
[New Thread 23164]
Missing separate debuginfo for 
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/0a/c87124da6b3667e15d65262886e136d5682803
Reading symbols from /usr/lib64/libtevent.so.0.9.8...Reading symbols from /usr/lib/debug/usr/lib64/libtevent.so.0.9.8.debug...done.
done.
Loaded symbols for /usr/lib64/libtevent.so.0.9.8
Reading symbols from /usr/lib64/libtalloc.so.2.0.1...Reading symbols from /usr/lib/debug/usr/lib64/libtalloc.so.2.0.1.debug...done.
done.
Loaded symbols for /usr/lib64/libtalloc.so.2.0.1
Reading symbols from /lib64/libpopt.so.0.0.0...Reading symbols from /usr/lib/debug/lib64/libpopt.so.0.0.0.debug...done.
done.
Loaded symbols for /lib64/libpopt.so.0.0.0
Reading symbols from /usr/lib64/libldb.so.0.9.10...Reading symbols from /usr/lib/debug/usr/lib64/libldb.so.0.9.10.debug...done.
done.
Loaded symbols for /usr/lib64/libldb.so.0.9.10
Reading symbols from /lib64/libdbus-1.so.3.4.0...Reading symbols from /usr/lib/debug/lib64/libdbus-1.so.3.4.0.debug...done.
done.
Loaded symbols for /lib64/libdbus-1.so.3.4.0
Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/librt.so.1
Reading symbols from /lib64/libpcre.so.0.0.1...Reading symbols from /usr/lib/debug/lib64/libpcre.so.0.0.1.debug...done.
done.
Loaded symbols for /lib64/libpcre.so.0.0.1
Reading symbols from /usr/lib64/libini_config.so.2.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libini_config.so.2.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libini_config.so.2.0.0
Reading symbols from /usr/lib64/libcollection.so.2.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libcollection.so.2.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libcollection.so.2.0.0
Reading symbols from /usr/lib64/libdhash.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libdhash.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libdhash.so.1.0.0
Reading symbols from /lib64/liblber-2.4.so.2.5.6...Reading symbols from /usr/lib/debug/lib64/liblber-2.4.so.2.5.6.debug...done.
done.
Loaded symbols for /lib64/liblber-2.4.so.2.5.6
Reading symbols from /lib64/libldap-2.4.so.2.5.6...Reading symbols from /usr/lib/debug/lib64/libldap-2.4.so.2.5.6.debug...done.
done.
Loaded symbols for /lib64/libldap-2.4.so.2.5.6
Reading symbols from /usr/lib64/libtdb.so.1.2.1...Reading symbols from /usr/lib/debug/usr/lib64/libtdb.so.1.2.1.debug...done.
done.
Loaded symbols for /usr/lib64/libtdb.so.1.2.1
Reading symbols from /usr/lib64/libssl3.so...
warning: the debug information found in "/usr/lib/debug//usr/lib64/libssl3.so.debug" does not match "/usr/lib64/libssl3.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib64/libssl3.so.debug" does not match "/usr/lib64/libssl3.so" (CRC mismatch).

(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libssl3.so
Reading symbols from /usr/lib64/libsmime3.so...
warning: the debug information found in "/usr/lib/debug//usr/lib64/libsmime3.so.debug" does not match "/usr/lib64/libsmime3.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib64/libsmime3.so.debug" does not match "/usr/lib64/libsmime3.so" (CRC mismatch).

(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsmime3.so
Reading symbols from /usr/lib64/libnss3.so...
warning: the debug information found in "/usr/lib/debug//usr/lib64/libnss3.so.debug" does not match "/usr/lib64/libnss3.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib64/libnss3.so.debug" does not match "/usr/lib64/libnss3.so" (CRC mismatch).

(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libnss3.so
Reading symbols from /usr/lib64/libnssutil3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnssutil3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libnssutil3.so
Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/lib64/libplds4.so.debug...done.
done.
Loaded symbols for /lib64/libplds4.so
Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/lib64/libplc4.so.debug...done.
done.
Loaded symbols for /lib64/libplc4.so
Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/lib64/libnspr4.so.debug...done.
done.
Loaded symbols for /lib64/libnspr4.so
Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /usr/lib64/libunistring.so.0.1.2...Reading symbols from /usr/lib/debug/usr/lib64/libunistring.so.0.1.2.debug...done.
done.
Loaded symbols for /usr/lib64/libunistring.so.0.1.2
Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib64/libpath_utils.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libpath_utils.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libpath_utils.so.1.0.0
Reading symbols from /usr/lib64/libref_array.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libref_array.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libref_array.so.1.0.0
Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /usr/lib64/libsasl2.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/libsasl2.so.2.0.23
Reading symbols from /lib64/libz.so.1.2.3...Reading symbols from /usr/lib/debug/lib64/libz.so.1.2.3.debug...done.
done.
Loaded symbols for /lib64/libz.so.1.2.3
Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /lib64/libfreebl3.so...Reading symbols from /usr/lib/debug/lib64/libfreebl3.so.debug...done.
done.
Loaded symbols for /lib64/libfreebl3.so
Reading symbols from /usr/lib64/ldb/memberof.so...Reading symbols from /usr/lib/debug/usr/lib64/ldb/memberof.so.debug...done.
done.
Loaded symbols for /usr/lib64/ldb/memberof.so
Core was generated by `/usr/libexec/sssd/sssd_pam -d 0 --debug-to-files'.
Program terminated with signal 6, Aborted.
#0  0x0000003e37a32885 in raise () from /lib64/libc.so.6

Thread 1 (Thread 0x7f3a64d23700 (LWP 23164)):
#0  0x0000003e37a32885 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000003e37a34065 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x0000003e39e2a975 in _dbus_abort () at dbus-sysdeps.c:88
        s = <value optimized out>
#3  0x0000003e39e26845 in _dbus_warn_check_failed (
    format=0x3e39e339e0 "arguments to %s() were incorrect, assertion \"%s\" failed in file %s line %d.\nThis is normally a bug in some application using the D-Bus library.\n") at dbus-internals.c:283
        args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff654e8990, reg_save_area = 0x7fff654e88c0}}
#4  0x0000003e39e10471 in dbus_connection_send_with_reply (connection=0x0, message=0x1d59750, pending_return=0x7fff654e89d8, 
    timeout_milliseconds=150000) at dbus-connection.c:3226
        pending = <value optimized out>
        serial = -1
        status = <value optimized out>
        __FUNCTION__ = "dbus_connection_send_with_reply"
#5  0x0000000000423144 in sbus_conn_send (conn=<value optimized out>, msg=<value optimized out>, timeout_ms=<value optimized out>, 
    reply_handler=0x430c60 <sss_dp_send_acct_callback>, pvt=0x1d6bd80, pending=0x7fff654e8ad8) at src/sbus/sssd_dbus_connection.c:711
        pending_reply = <value optimized out>
        dbus_conn = <value optimized out>
        dbret = <value optimized out>
        __FUNCTION__ = "sbus_conn_send"
#6  0x000000000043088d in sss_dp_send_acct_req_create (rctx=0x1d54830, callback_memctx=0x1d5c0e0, 
    callback=0x409cc0 <pam_check_user_dp_callback>, callback_ctx=0x1d5c0e0, timeout=150000, domain=0x1d530e0 "lab.eng.pnq.redhat.com", 
    fast_reply=false, type=3, opt_name=0x1d63d40 "shanks", opt_id=0) at src/responder/common/responder_dp.c:493
        msg = 0x1d59750
        dbret = <value optimized out>
        ret = <value optimized out>
        pending_reply = <value optimized out>
        cb = <value optimized out>
        sdp_req = 0x1d6bd80
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6.x86_64 nss-3.12.10-16.el6.x86_64
---Type <return> to continue, or q <return> to quit---
        attrs = 1
        be_conn = 0x1d58180
#7  sss_dp_send_acct_req (rctx=0x1d54830, callback_memctx=0x1d5c0e0, callback=0x409cc0 <pam_check_user_dp_callback>, 
    callback_ctx=0x1d5c0e0, timeout=150000, domain=0x1d530e0 "lab.eng.pnq.redhat.com", fast_reply=false, type=3, 
    opt_name=0x1d63d40 "shanks", opt_id=0) at src/responder/common/responder_dp.c:385
        ret = <value optimized out>
        hret = <value optimized out>
        be_type = <value optimized out>
        filter = 0x1d6c110 "name=shanks"
        key = {type = HASH_KEY_STRING, {str = 0x1d55810 "3shanks.pnq.redhat.com", ul = 30758928}}
        value = {type = 1699646224, {ptr = 0x3e37a722f5, i = 933700341, ui = 933700341, l = 267221672693, ul = 267221672693, 
            f = 1.99242295e-05, d = 1.3202504830184524e-312}}
        tmp_ctx = 0x1d652d0
        tv = {tv_sec = 206158430248, tv_usec = 140734893034448}
        sdp_req = 0x0
        cb = <value optimized out>
        __FUNCTION__ = "sss_dp_send_acct_req"
#8  0x0000000000408093 in pam_check_user_search (preq=0x1d5c0e0) at src/responder/pam/pamsrv_cmd.c:902
        dom = 0x1d54da0
        cctx = <value optimized out>
        name = 0x1d63d40 "shanks"
        sysdb = 0x1d55810
        cacheExpire = <value optimized out>
        ret = <value optimized out>
        __FUNCTION__ = "pam_check_user_search"
#9  0x000000000040a8f1 in pam_forwarder (cctx=<value optimized out>, pam_cmd=<value optimized out>) at src/responder/pam/pamsrv_cmd.c:796
        dom = 0x1d54da0
        preq = 0x1d5c0e0
        pd = 0x1d5bd20
        body = 0x1d6f770 "IPAM\001"
        blen = 124
        ret = <value optimized out>
        ncret = <value optimized out>
        terminator = 1229996365
        __FUNCTION__ = "pam_forwarder"
#10 0x000000000040b641 in pam_cmd_authenticate (cctx=0x1d5ba50) at src/responder/pam/pamsrv_cmd.c:1003
---Type <return> to continue, or q <return> to quit---
        __FUNCTION__ = "pam_cmd_authenticate"
#11 0x000000000042d950 in client_recv (ev=<value optimized out>, fde=<value optimized out>, flags=1, ptr=<value optimized out>)
    at src/responder/common/responder_common.c:183
        ret = <value optimized out>
#12 client_fd_handler (ev=<value optimized out>, fde=<value optimized out>, flags=1, ptr=<value optimized out>)
    at src/responder/common/responder_common.c:221
        cctx = 0x1d5ba50
#13 0x0000003e3d605456 in epoll_event_loop (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:309
        fde = <value optimized out>
        flags = <value optimized out>
        ret = 1
        i = <value optimized out>
        events = {{events = 1, data = {ptr = 0x1d6ad00, fd = 30846208, u32 = 30846208, u64 = 30846208}}}
        timeout = <value optimized out>
#14 std_event_loop_once (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:544
        std_ev = 0x1d513e0
        tval = {tv_sec = 0, tv_usec = 34450}
#15 0x0000003e3d6026d0 in _tevent_loop_once (ev=0x1d51320, location=0x439595 "src/util/server.c:526") at tevent.c:490
        ret = <value optimized out>
        nesting_stack_ptr = 0x0
#16 0x0000003e3d60273b in tevent_common_loop_wait (ev=0x1d51320, location=0x439595 "src/util/server.c:526") at tevent.c:591
        ret = <value optimized out>
#17 0x0000000000427921 in server_loop (main_ctx=0x1d52420) at src/util/server.c:526
No locals.
#18 0x0000000000407aa0 in main (argc=<value optimized out>, argv=<value optimized out>) at src/responder/pam/pamsrv.c:230
        opt = <value optimized out>
        pc = <value optimized out>
        main_ctx = 0x1d52420
        ret = <value optimized out>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x6408a0, val = 0, descrip = 0x433242 "Help options:", 
            argDescrip = 0x0}, {longName = 0x433250 "debug-level", shortName = 100 'd', argInfo = 2, arg = 0x640998, val = 0, 
            descrip = 0x433221 "Debug level", argDescrip = 0x0}, {longName = 0x43325c "debug-to-files", shortName = 102 'f', argInfo = 0, 
            arg = 0x64099c, val = 0, descrip = 0x433388 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {
            longName = 0x43326b "debug-timestamps", shortName = 0 '\000', argInfo = 2, arg = 0x640860, val = 0, 
            descrip = 0x43322d "Add debug timestamps", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, 
            val = 0, descrip = 0x0, argDescrip = 0x0}}
---Type <return> to continue, or q <return> to quit---
        __FUNCTION__ = "main"

Comment 2 Jakub Hrozek 2012-01-04 21:01:58 UTC

I admit I haven't reproduced the crash but I saw a bug here - in the case Shanks tested, the ipa_kpasswd process returned that KDC was down. Because SSSD tried to create an expired TGT even when offline, it called the child agan, the child failed, sent sssd offline, sssd called the child again..etc.

Comment 3 Jakub Hrozek 2012-01-04 21:04:04 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1131

Comment 6 Jakub Hrozek 2012-04-03 18:06:05 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: In cases the SSSD was operating on offline mode and Kerberos password was requested with a configuration that also uses the KDC server for changing passwords, the SSSD was issuing the password change requests in an infinite loop

Consequence: The sssd_be process was looping infinitely and occasionally even crashing

Fix: The sssd_be process was fixed to not call the password changing request when offline

Result: When a password change operation is requested while the SSSD is offline, the operations exits gracefully.

Comment 7 Kaleem 2012-05-07 13:02:21 UTC

Verified.

Now following message is displayed when sssd is working in offline mode and password change is requested.

"System is offline, password change not possible"

sssd-version:
=============
[root@ipa63server ~]# rpm -q sssd
sssd-1.8.0-25.el6.x86_64
[root@ipa63server ~]#

console output:
===============
[root@ipa63client2 ~]# ssh -l tuser1 ipa63server.testrelm.com
tuser1.com's password: 
Last login: Mon May  7 18:24:45 2012 from ipa63client2.testrelm.com
-sh-4.1$ passwd
Changing password for user tuser1.
Current Password: 
System is offline, password change not possible
passwd: Authentication token manipulation error
-sh-4.1$

Comment 9 errata-xmlrpc 2012-06-20 11:51:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html

Note You need to log in before you can comment on or make changes to this bug.