814269 – sssd-1.5.1-66.el6_2.3.x86_64 freezes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 814269 - sssd-1.5.1-66.el6_2.3.x86_64 freezes

Summary: sssd-1.5.1-66.el6_2.3.x86_64 freezes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1291709
TreeView+	depends on / blocked

Reported:	2012-04-19 13:51 UTC by Taunus
Modified:	2019-09-12 07:41 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.8.0-22.el6
Doc Type:	Bug Fix
Doc Text:	Cause: The openldap client libraries (used by SSSD) do not time out properly if communication with an LDAP server would DROP packets instead of REJECTing them. Consequence: SSSD would hang and never respond to requests. Fix: SSSD added a timer to ensure that connections are given up on after a reasonable time. Result: SSSD no longer hangs, unresponsive if the LDAP server is not responding.
Clone Of:
Clones:	1291709 (view as bug list)
Environment:
Last Closed:	2012-06-20 11:56:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0747	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2012-06-19 19:31:43 UTC

Description Taunus 2012-04-19 13:51:36 UTC

Description of problem:
sssd waits too long for feedback from ipa if IP packages are dropped.

Version-Release number of selected component (if applicable):
sssd-1.5.1-66

How reproducible:
drop packages to ipa

Steps to Reproduce:
1. drop packages to ipa
2. restart sssd
3. query for some user
  
Actual results:
about 20 sec wait

Expected results:
reply from couple seconds of query

Additional info:
sssd takes too much time looking if ipa is available or not.

To reproduce:

# Test 1
# Add "Deny IPA access" rule, no reply from network to sssd
iptables -I OUTPUT -d ipa.ip.address -j DROP
iptables -I OUTPUT -d ipa2.ip.address -j DROP

# drop existing connections
service sssd restart

# query for (nonexistent) user
id sdfgsd

# wait for about 20secs...
#
# Finish testing, remove the rules
iptables -D OUTPUT -d ipa.ip.address -j DROP
iptables -D OUTPUT -d ipa2.ip.address -j DROP
exit

# Test 2
# Compare the above to this. Firewall sends reject back to sssd
#
# Add "Reject IPA access with icmp" rule
iptables -I OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited
iptables -I OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited

# drop existing connections
service sssd restart

# query for (nonexistent) user
id shsgfgh

# No need to wait for very long
#
# Finish testing, remove the rules
iptables -D OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited
iptables -D OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited

If you look at the connections packages dropped with netstat when waiting you see that the sssd_be is waiting for reply from ipaserver and tcp status is SYN_SENT.

This can happen in situations when firewall drops the packages or you have network connection but cannot reach ipa for some other reason.

I think it is the same thing is here:
https://bugzilla.redhat.com/show_bug.cgi?id=634592

Sometimes sssd goes into loop just checking for the ipa server continuously. Then the systems is pretty much stuck for minutes.



cat /etc/sssd/sssd.conf

[sssd]
# debug_level = 5

services = nss, pam
config_file_version = 2

domains = sub.domain.com
[nss]

[pam]

[domain/sub.domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = sub.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hostname.sub.domain.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.sub.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt

Comment 2 Stephen Gallagher 2012-04-20 12:38:03 UTC

This was fixed upstream as commit https://fedorahosted.org/sssd/changeset/5bf2314b9f64099cd4e88b8f3498d986d97e1ac6/ included in SSSD 1.7.0 and 1.8.0.

Comment 3 Taunus 2012-04-20 14:05:46 UTC

Do you know when the fixed version will be available on rhel?

Comment 4 Stephen Gallagher 2012-04-20 14:30:53 UTC

(In reply to comment #3)
> Do you know when the fixed version will be available on rhel?

It will be fixed in RHEL 6.3, the beta of which should be released fairly soon.

Comment 7 Taunus 2012-04-25 07:17:29 UTC

Just downloaded sssd rhel beta packages. The beta package version is sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6.

Comment 8 Stephen Gallagher 2012-04-25 11:17:02 UTC

(In reply to comment #7)
> Just downloaded sssd rhel beta packages. The beta package version is
> sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6.

Yes, sorry. Apparently the RHEL beta shipped with -22. This is fixed and ready for the final release. If you contact your support rep, they may be able to provide you with the newer build.

Comment 9 Stephen Gallagher 2012-04-25 11:18:17 UTC

Actually, I correct that. It looks like the package version is incorrect above. It should already be fixed in -22 (I need to read more carefully).

Correcting the FixedIn version.

Comment 10 Taunus 2012-04-25 11:27:43 UTC

Ok, I've tested the new packages a bit and
sssd-1.8.0-22.el6 works much better than the sssd-1.5.1-66

Comment 11 Kaushik Banerjee 2012-04-25 14:34:03 UTC

Verified with version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.8.0                             Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Fri 20 Apr 2012 11:30:39 PM IST
Install Date: Wed 25 Apr 2012 07:28:48 PM IST      Build Host: x86-003.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.8.0-23.el6.src.rpm
Size        : 7874744                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon



Verification steps ( The delay is of 6 seconds now):

# iptables -I OUTPUT -d ipaserver.example.com -j DROP
# date;id kau1;date
Fri Apr 20 16:15:14 IST 2012
id: kau1: No such user
Fri Apr 20 16:15:20 IST 2012

Comment 12 Stephen Gallagher 2012-06-12 13:55:43 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The openldap client libraries (used by SSSD) do not time out properly if communication with an LDAP server would DROP packets instead of REJECTing them.

Consequence: SSSD would hang and never respond to requests.

Fix: SSSD added a timer to ensure that connections are given up on after a reasonable time.

Result: SSSD no longer hangs, unresponsive if the LDAP server is not responding.

Comment 14 errata-xmlrpc 2012-06-20 11:56:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html

Comment 15 Antonio Dias 2015-08-04 12:37:32 UTC

Is this bug going to be fixed for RHEL5 sssd packages?

Note You need to log in before you can comment on or make changes to this bug.