Hide Forgot
Description of problem: sssd waits too long for feedback from ipa if IP packages are dropped. Version-Release number of selected component (if applicable): sssd-1.5.1-66 How reproducible: drop packages to ipa Steps to Reproduce: 1. drop packages to ipa 2. restart sssd 3. query for some user Actual results: about 20 sec wait Expected results: reply from couple seconds of query Additional info: sssd takes too much time looking if ipa is available or not. To reproduce: # Test 1 # Add "Deny IPA access" rule, no reply from network to sssd iptables -I OUTPUT -d ipa.ip.address -j DROP iptables -I OUTPUT -d ipa2.ip.address -j DROP # drop existing connections service sssd restart # query for (nonexistent) user id sdfgsd # wait for about 20secs... # # Finish testing, remove the rules iptables -D OUTPUT -d ipa.ip.address -j DROP iptables -D OUTPUT -d ipa2.ip.address -j DROP exit # Test 2 # Compare the above to this. Firewall sends reject back to sssd # # Add "Reject IPA access with icmp" rule iptables -I OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited iptables -I OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited # drop existing connections service sssd restart # query for (nonexistent) user id shsgfgh # No need to wait for very long # # Finish testing, remove the rules iptables -D OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited iptables -D OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited If you look at the connections packages dropped with netstat when waiting you see that the sssd_be is waiting for reply from ipaserver and tcp status is SYN_SENT. This can happen in situations when firewall drops the packages or you have network connection but cannot reach ipa for some other reason. I think it is the same thing is here: https://bugzilla.redhat.com/show_bug.cgi?id=634592 Sometimes sssd goes into loop just checking for the ipa server continuously. Then the systems is pretty much stuck for minutes. cat /etc/sssd/sssd.conf [sssd] # debug_level = 5 services = nss, pam config_file_version = 2 domains = sub.domain.com [nss] [pam] [domain/sub.domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = sub.domain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = hostname.sub.domain.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.sub.domain.com ldap_tls_cacert = /etc/ipa/ca.crt
This was fixed upstream as commit https://fedorahosted.org/sssd/changeset/5bf2314b9f64099cd4e88b8f3498d986d97e1ac6/ included in SSSD 1.7.0 and 1.8.0.
Do you know when the fixed version will be available on rhel?
(In reply to comment #3) > Do you know when the fixed version will be available on rhel? It will be fixed in RHEL 6.3, the beta of which should be released fairly soon.
Just downloaded sssd rhel beta packages. The beta package version is sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6.
(In reply to comment #7) > Just downloaded sssd rhel beta packages. The beta package version is > sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6. Yes, sorry. Apparently the RHEL beta shipped with -22. This is fixed and ready for the final release. If you contact your support rep, they may be able to provide you with the newer build.
Actually, I correct that. It looks like the package version is incorrect above. It should already be fixed in -22 (I need to read more carefully). Correcting the FixedIn version.
Ok, I've tested the new packages a bit and sssd-1.8.0-22.el6 works much better than the sssd-1.5.1-66
Verified with version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.8.0 Vendor: Red Hat, Inc. Release : 23.el6 Build Date: Fri 20 Apr 2012 11:30:39 PM IST Install Date: Wed 25 Apr 2012 07:28:48 PM IST Build Host: x86-003.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.8.0-23.el6.src.rpm Size : 7874744 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon Verification steps ( The delay is of 6 seconds now): # iptables -I OUTPUT -d ipaserver.example.com -j DROP # date;id kau1;date Fri Apr 20 16:15:14 IST 2012 id: kau1: No such user Fri Apr 20 16:15:20 IST 2012
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: The openldap client libraries (used by SSSD) do not time out properly if communication with an LDAP server would DROP packets instead of REJECTing them. Consequence: SSSD would hang and never respond to requests. Fix: SSSD added a timer to ensure that connections are given up on after a reasonable time. Result: SSSD no longer hangs, unresponsive if the LDAP server is not responding.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html
Is this bug going to be fixed for RHEL5 sssd packages?