833789 – sssd_nss segfaults when sudo operation is performed.

Bug 833789 - sssd_nss segfaults when sudo operation is performed.

Summary: sssd_nss segfaults when sudo operation is performed.

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Stephen Gallagher
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-20 11:19 UTC by Gowrishankar Rajaiyan
Modified:	2020-05-02 16:55 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-20 12:06:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
bt full (4.78 KB, text/plain) 2012-06-20 11:19 UTC, Gowrishankar Rajaiyan	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2425	0	None	None	None	2020-05-02 16:55:15 UTC

Description Gowrishankar Rajaiyan 2012-06-20 11:19:37 UTC

Created attachment 593181 [details]
bt full

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.8.93-0.20120618T1837Zgitbb79e75.fc17.x86_64

How reproducible:
Always

Steps to Reproduce: (Not sure if this is related, but the case where crash was detected is)

1. # ipa sudorule-show sudorule1 --all --raw
  dn: ipauniqueid=8d023938-bac0-11e1-b429-525400951069,cn=sudorules,cn=sudo,dc=testrelm,dc=com
  cn: sudorule1
  ipaenabledflag: TRUE
  memberhost: cn=hostgrp1,cn=hostgroups,cn=accounts,dc=testrelm,dc=com
  memberuser: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=com
  ipauniqueid: 8d023938-bac0-11e1-b429-525400951069
  objectclass: ipaassociation
  objectclass: ipasudorule

2. # ldapsearch -LLL -Y GSSAPI -b ou=SUDOers,dc=testrelm,dc=com
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
dn: ou=sudoers,dc=testrelm,dc=com
objectClass: extensibleObject
ou: sudoers

dn: cn=sudorule1,ou=sudoers,dc=testrelm,dc=com
objectClass: sudoRole
sudoUser: user1
sudoHost: +hostgrp1
cn: sudorule1

3. [root@dhcp201-207 ~]#  ssh -o StrictHostKeyChecking=no -l user1 dhcp201-207.testrelm.com
user1.com's password: 
Last login: Wed Jun 20 07:06:09 2012 from dhcp201-207.testrelm.com
-sh-4.2$ 

4. -sh-4.2$ sudo -l

  
Actual results:
/var/log/messages:
Jun 20 07:06:17 dhcp201-207 kernel: [1039881.361685] sssd_nss[20374]: segfault at 20 ip 0000003af5e89d8d sp 00007fff523572d8 e
rror 4 in libc-2.15.so[3af5e00000+1ac000]
Jun 20 07:06:17 dhcp201-207 abrtd: Directory 'ccpp-2012-06-20-07:06:17-20374' creation detected
Jun 20 07:06:17 dhcp201-207 abrt[20454]: Saved core dump of pid 20374 (/usr/libexec/sssd/sssd_nss) to /var/spool/abrt/ccpp-201
2-06-20-07:06:17-20374 (1142784 bytes)
Jun 20 07:06:17 dhcp201-207 sssd[nss]: Starting up



Expected results: No crash detected.


Additional info:

relevant sssd.conf:
--8<--
[domain/testrelm.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dhcp201-207.testrelm.com
chpass_provider = ipa
ipa_server = dhcp201-207.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = testrelm.com
-->8--

sudo debug:
-sh-4.2$ sudo -l
LDAP Config Summary
===================
uri              ldap://dhcp201-207.testrelm.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=testrelm,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm,dc=com
bindpw           bind123
bind_timelimit   5
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
===================
sudo: ldap_initialize(ld, ldap://dhcp201-207.testrelm.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in ou=SUDOers,dc=testrelm,dc=com
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=testrelm,dc=com'
sudo: adding search result
sudo: ldap sudoHost '+hostgrp1' ... not
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=testrelm,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x42
[sudo] password for user1:

Comment 1 Stephen Gallagher 2012-06-20 12:01:45 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1383

Comment 2 Stephen Gallagher 2012-06-20 12:06:50 UTC

Closing as an UPSTREAM bug. This was reported against an unreleased upstream nightly build. It belongs in the upstream bug tracker, not Fedora.

Note You need to log in before you can comment on or make changes to this bug.