Bug 803937
| Summary: | sssd crashed after "LDAP connection error" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | ksuzuoki |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | apeetham, grajaiya, jgalipea, jhrozek, prc |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.8.0-15.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: when IPA client-side migration was performed, the SSSD used the start TLS operation on a connection that was already encrypted by GSSAPI
Consequence: In some rare cases, especially when the TLS certificate was not available, this lead to sssd_be process crashing
Fix: The migration procedure was fixed so that it spawns a new TLS-only connection for the migration
Result: The client side password migration is more robust now
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 11:56:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 4
Jenny Severance
2012-03-16 12:09:30 UTC
(In reply to comment #4) > Please add steps to reproduce this crash We could never reliably reproduce the crash. There should only be sanity testing of the client-side migration. The root cause seemed to be the fact that during migration, both TLS and GSSAPI were used at the same time and moreover, TLS was switched on by modifying a global option. We changed the way migration is performed to only use TLS for that single migration connection by passing a flag. Sumit gave a very detailed overview of the problem along with the proposed solution in the opening comment of https://fedorahosted.org/sssd/ticket/924 Verify sanity only - no regressions found
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: when IPA client-side migration was performed, the SSSD used the start TLS operation on a connection that was already encrypted by GSSAPI
Consequence: In some rare cases, especially when the TLS certificate was not available, this lead to sssd_be process crashing
Fix: The migration procedure was fixed so that it spawns a new TLS-only connection for the migration
Result: The client side password migration is more robust now
Verified on sssd-1.8.0-28.el6. This bug has been verified sanity only and no related regressions detected. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |