Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 814269 - sssd-1.5.1-66.el6_2.3.x86_64 freezes
sssd-1.5.1-66.el6_2.3.x86_64 freezes
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.2
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Stephen Gallagher
IDM QE LIST
:
Depends On:
Blocks: 1291709
  Show dependency treegraph
 
Reported: 2012-04-19 09:51 EDT by Taunus
Modified: 2015-12-15 08:33 EST (History)
6 users (show)

See Also:
Fixed In Version: sssd-1.8.0-22.el6
Doc Type: Bug Fix
Doc Text:
Cause: The openldap client libraries (used by SSSD) do not time out properly if communication with an LDAP server would DROP packets instead of REJECTing them. Consequence: SSSD would hang and never respond to requests. Fix: SSSD added a timer to ensure that connections are given up on after a reasonable time. Result: SSSD no longer hangs, unresponsive if the LDAP server is not responding.
Story Points: ---
Clone Of:
: 1291709 (view as bug list)
Environment:
Last Closed: 2012-06-20 07:56:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0747 normal SHIPPED_LIVE sssd bug fix and enhancement update 2012-06-19 15:31:43 EDT

  None (edit)
Description Taunus 2012-04-19 09:51:36 EDT
Description of problem:
sssd waits too long for feedback from ipa if IP packages are dropped.

Version-Release number of selected component (if applicable):
sssd-1.5.1-66

How reproducible:
drop packages to ipa

Steps to Reproduce:
1. drop packages to ipa
2. restart sssd
3. query for some user
  
Actual results:
about 20 sec wait

Expected results:
reply from couple seconds of query

Additional info:
sssd takes too much time looking if ipa is available or not.

To reproduce:

# Test 1
# Add "Deny IPA access" rule, no reply from network to sssd
iptables -I OUTPUT -d ipa.ip.address -j DROP
iptables -I OUTPUT -d ipa2.ip.address -j DROP

# drop existing connections
service sssd restart

# query for (nonexistent) user
id sdfgsd

# wait for about 20secs...
#
# Finish testing, remove the rules
iptables -D OUTPUT -d ipa.ip.address -j DROP
iptables -D OUTPUT -d ipa2.ip.address -j DROP
exit

# Test 2
# Compare the above to this. Firewall sends reject back to sssd
#
# Add "Reject IPA access with icmp" rule
iptables -I OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited
iptables -I OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited

# drop existing connections
service sssd restart

# query for (nonexistent) user
id shsgfgh

# No need to wait for very long
#
# Finish testing, remove the rules
iptables -D OUTPUT -d ipa.ip.address -j REJECT --reject-with icmp-host-prohibited
iptables -D OUTPUT -d ipa2.ip.address -j REJECT --reject-with icmp-host-prohibited

If you look at the connections packages dropped with netstat when waiting you see that the sssd_be is waiting for reply from ipaserver and tcp status is SYN_SENT.

This can happen in situations when firewall drops the packages or you have network connection but cannot reach ipa for some other reason.

I think it is the same thing is here:
https://bugzilla.redhat.com/show_bug.cgi?id=634592

Sometimes sssd goes into loop just checking for the ipa server continuously. Then the systems is pretty much stuck for minutes.



cat /etc/sssd/sssd.conf

[sssd]
# debug_level = 5

services = nss, pam
config_file_version = 2

domains = sub.domain.com
[nss]

[pam]

[domain/sub.domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = sub.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hostname.sub.domain.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.sub.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
Comment 2 Stephen Gallagher 2012-04-20 08:38:03 EDT
This was fixed upstream as commit https://fedorahosted.org/sssd/changeset/5bf2314b9f64099cd4e88b8f3498d986d97e1ac6/ included in SSSD 1.7.0 and 1.8.0.
Comment 3 Taunus 2012-04-20 10:05:46 EDT
Do you know when the fixed version will be available on rhel?
Comment 4 Stephen Gallagher 2012-04-20 10:30:53 EDT
(In reply to comment #3)
> Do you know when the fixed version will be available on rhel?

It will be fixed in RHEL 6.3, the beta of which should be released fairly soon.
Comment 7 Taunus 2012-04-25 03:17:29 EDT
Just downloaded sssd rhel beta packages. The beta package version is sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6.
Comment 8 Stephen Gallagher 2012-04-25 07:17:02 EDT
(In reply to comment #7)
> Just downloaded sssd rhel beta packages. The beta package version is
> sssd-1.8.0-22.el6 and the fixed packages in the bug says sssd-1.8.0-23.el6.

Yes, sorry. Apparently the RHEL beta shipped with -22. This is fixed and ready for the final release. If you contact your support rep, they may be able to provide you with the newer build.
Comment 9 Stephen Gallagher 2012-04-25 07:18:17 EDT
Actually, I correct that. It looks like the package version is incorrect above. It should already be fixed in -22 (I need to read more carefully).

Correcting the FixedIn version.
Comment 10 Taunus 2012-04-25 07:27:43 EDT
Ok, I've tested the new packages a bit and
sssd-1.8.0-22.el6 works much better than the sssd-1.5.1-66
Comment 11 Kaushik Banerjee 2012-04-25 10:34:03 EDT
Verified with version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.8.0                             Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Fri 20 Apr 2012 11:30:39 PM IST
Install Date: Wed 25 Apr 2012 07:28:48 PM IST      Build Host: x86-003.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.8.0-23.el6.src.rpm
Size        : 7874744                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon



Verification steps ( The delay is of 6 seconds now):

# iptables -I OUTPUT -d ipaserver.example.com -j DROP
# date;id kau1;date
Fri Apr 20 16:15:14 IST 2012
id: kau1: No such user
Fri Apr 20 16:15:20 IST 2012
Comment 12 Stephen Gallagher 2012-06-12 09:55:43 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The openldap client libraries (used by SSSD) do not time out properly if communication with an LDAP server would DROP packets instead of REJECTing them.

Consequence: SSSD would hang and never respond to requests.

Fix: SSSD added a timer to ensure that connections are given up on after a reasonable time.

Result: SSSD no longer hangs, unresponsive if the LDAP server is not responding.
Comment 14 errata-xmlrpc 2012-06-20 07:56:47 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html
Comment 15 Antonio Dias 2015-08-04 08:37:32 EDT
Is this bug going to be fixed for RHEL5 sssd packages?

Note You need to log in before you can comment on or make changes to this bug.