Description of problem: using a domain configured to use ldap for user and group information and an already existing pam service for authentication, the sssd proxy_child process dies reporting: proxy_child[2876]: segfault at 0 ip 00007f0141d76911 sp 00007fff16ef2b70 error 4 in libsss_util.so[7f0141d27000+6c000] Version-Release number of selected component (if applicable): sssd-1.10.1-1.fc19 Actual results: user and group lookups work fine but authentication is not possible Expected results: authentication works as well as user and group lookups.
Are you able to reproduce this crash? We would need more informations to find out why sssd crashed. Can you provide steps to reproduce? Can you provide coredump from crashed process? If you have enabled service abrt corefile will be (should be) stored in directory /var/spool/abrt/ccpp-<date_of_carash>/coredump or /var/tmp/abrt/ccpp-<date_of_carash>/coredump
Could you please also post configurations of sssd and the proxy provider (probably nslcd?)
Created attachment 786473 [details] sssd config
Created attachment 786474 [details] pam proxy service config
Created attachment 786475 [details] krb5 config
Created attachment 786476 [details] system-auth-ac
The issue is always reproducible since it is sufficient to configure an ldap domain using a pam proxy to authenticate users. The issue is there also with sssd 1.11.0-0.1.beta2.fc19.x86_64 Configurations for sssd, pam, etc are attached.
Created attachment 786479 [details] compressed coredump
Upstream ticket: https://fedorahosted.org/sssd/ticket/2046
Hello, patch was submitted upstream and are awaiting review. https://lists.fedorahosted.org/pipermail/sssd-devel/2013-August/016059.html
Fixed upstream.
btw what is the reason for using the proxy provider at all? Could you simply use auth_provider=krb5 ? See man sssd-krb5 for more details.
In my organization, all users and groups are defined in an unique ldap server which provides only user and group information and also garantees uid and gid uniqueness whereas user authentication is done via kerberos. User principal are scattered across multiple kerberos realm but the primary part of their principal is unique. i.e. USER1 is defined only in realm REALM1 and so on. Hence since users log in using only the primary part of their krb5 principal, I need the mappings capability of pam_krb5 to silently redirect authentication to the "right" KDC. AFAIK at the moment sssd does not provide such powerfull regex based mapping capability - see comment #5 - so this is why I'm using the proxy auth provider.
(In reply to Paolo Penzo from comment #13) > In my organization, all users and groups are defined in an unique ldap > server which provides only user and group information and also garantees uid > and gid uniqueness whereas user authentication is done via kerberos. User > principal are scattered across multiple kerberos realm but the primary part > of their principal is unique. i.e. USER1 is defined only in realm REALM1 and > so on. > Hence since users log in using only the primary part of their krb5 > principal, I need the mappings capability of pam_krb5 to silently redirect > authentication to the "right" KDC. > AFAIK at the moment sssd does not provide such powerfull regex based mapping > capability - see comment #5 - so this is why I'm using the proxy auth > provider. Yes, you're right, this functionality is missing from the sssd Kerberos provider. But I will file an upstream ticket to track this feature request in the sssd, I would like the proxy provider to disappear down the road: https://fedorahosted.org/sssd/ticket/2048
It would be nice and for sure it will ease configurations like mine. However IMHO the complete removal of the auth_proxy feature will also remove some flexibility in sssd config since right now it's possible to have a complete separate PAM stack for each configured domain.
(In reply to Paolo Penzo from comment #15) > It would be nice and for sure it will ease configurations like mine. However > IMHO the complete removal of the auth_proxy feature will also remove some > flexibility in sssd config since right now it's possible to have a complete > separate PAM stack for each configured domain. OK, I probably phrased the previous comment wrong. It's unlikely we'll remove the proxy provider completely, but I'd like to minimize the need for it. It's still going to be valid for wrapping completely foreign PAM stacks as you noted. Also, we haven't really commited ourselves to the regex feature yet.
Do you plan to release a new version with this patch in next days?
(In reply to Paolo Penzo from comment #17) > Do you plan to release a new version with this patch in next days? I'm building the update now. Sorry for the delay, I also wanted to get (new and revised) patches for #967012 and the have been discussed on the upstream devel list still this week.
That's fine, thanks!
sssd-1.11.0-0.2.beta2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.11.0-0.2.beta2.fc19
Package sssd-1.11.0-0.2.beta2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-0.2.beta2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15215/sssd-1.11.0-0.2.beta2.fc19 then log in and leave karma (feedback).
sssd-1.11.0-0.2.beta2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.