Bug 996214 - sssd proxy_child segfault
sssd proxy_child segfault
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-12 12:43 EDT by Paolo Penzo
Modified: 2013-09-11 22:03 EDT (History)
10 users (show)

See Also:
Fixed In Version: sssd-1.11.0-0.2.beta2.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-11 22:03:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sssd config (620 bytes, text/plain)
2013-08-14 05:42 EDT, Paolo Penzo
no flags Details
pam proxy service config (321 bytes, text/plain)
2013-08-14 05:43 EDT, Paolo Penzo
no flags Details
krb5 config (678 bytes, text/plain)
2013-08-14 05:44 EDT, Paolo Penzo
no flags Details
system-auth-ac (1.28 KB, text/plain)
2013-08-14 05:45 EDT, Paolo Penzo
no flags Details
compressed coredump (265.89 KB, application/x-gzip)
2013-08-14 05:50 EDT, Paolo Penzo
no flags Details

  None (edit)
Description Paolo Penzo 2013-08-12 12:43:26 EDT
Description of problem:

using a domain configured to use ldap for user and group information and an already existing pam service for authentication, the sssd proxy_child process dies reporting: 

proxy_child[2876]: segfault at 0 ip 00007f0141d76911 sp 00007fff16ef2b70 error 4 in libsss_util.so[7f0141d27000+6c000]

Version-Release number of selected component (if applicable):
sssd-1.10.1-1.fc19

Actual results:
user and group lookups work fine but authentication is not possible

Expected results:
authentication works  as well as user and group lookups.
Comment 1 Lukas Slebodnik 2013-08-12 13:38:54 EDT
Are you able to reproduce this crash?

We would need more informations to find out why sssd crashed.
Can you provide steps to reproduce?

Can you provide coredump from crashed process?
If you have enabled service abrt corefile will be (should be) stored in directory
   /var/spool/abrt/ccpp-<date_of_carash>/coredump
or /var/tmp/abrt/ccpp-<date_of_carash>/coredump
Comment 2 Ondrej Kos 2013-08-13 03:15:07 EDT
Could you please also post configurations of sssd and the proxy provider (probably nslcd?)
Comment 3 Paolo Penzo 2013-08-14 05:42:58 EDT
Created attachment 786473 [details]
sssd config
Comment 4 Paolo Penzo 2013-08-14 05:43:52 EDT
Created attachment 786474 [details]
pam proxy service config
Comment 5 Paolo Penzo 2013-08-14 05:44:31 EDT
Created attachment 786475 [details]
krb5 config
Comment 6 Paolo Penzo 2013-08-14 05:45:07 EDT
Created attachment 786476 [details]
system-auth-ac
Comment 7 Paolo Penzo 2013-08-14 05:46:22 EDT
The issue is always reproducible since it is sufficient to configure an ldap domain using a pam proxy to authenticate users.

The issue is there also with sssd 1.11.0-0.1.beta2.fc19.x86_64

Configurations for sssd, pam, etc are attached.
Comment 8 Paolo Penzo 2013-08-14 05:50:46 EDT
Created attachment 786479 [details]
compressed coredump
Comment 9 Ondrej Kos 2013-08-14 07:04:05 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2046
Comment 10 Lukas Slebodnik 2013-08-14 08:08:32 EDT
Hello,                                                                                                  
patch was submitted upstream and are awaiting review.
https://lists.fedorahosted.org/pipermail/sssd-devel/2013-August/016059.html
Comment 11 Jakub Hrozek 2013-08-19 04:07:37 EDT
Fixed upstream.
Comment 12 Jakub Hrozek 2013-08-19 04:13:06 EDT
btw what is the reason for using the proxy provider at all? Could you simply use auth_provider=krb5 ? See man sssd-krb5 for more details.
Comment 13 Paolo Penzo 2013-08-19 11:45:31 EDT
In my organization, all users and groups are defined in an unique ldap server which provides only user and group information and also garantees uid and gid uniqueness whereas user authentication is done via kerberos. User principal are scattered across multiple kerberos realm but the primary part of their principal is unique. i.e. USER1 is defined only in realm REALM1 and so on.
Hence since users log in using only the primary part of their krb5 principal, I need the mappings capability of pam_krb5 to silently redirect authentication to the "right" KDC.
AFAIK at the moment sssd does not provide such powerfull regex based mapping capability - see comment #5 - so this is why I'm using the proxy auth provider.
Comment 14 Jakub Hrozek 2013-08-19 12:59:12 EDT
(In reply to Paolo Penzo from comment #13)
> In my organization, all users and groups are defined in an unique ldap
> server which provides only user and group information and also garantees uid
> and gid uniqueness whereas user authentication is done via kerberos. User
> principal are scattered across multiple kerberos realm but the primary part
> of their principal is unique. i.e. USER1 is defined only in realm REALM1 and
> so on.
> Hence since users log in using only the primary part of their krb5
> principal, I need the mappings capability of pam_krb5 to silently redirect
> authentication to the "right" KDC.
> AFAIK at the moment sssd does not provide such powerfull regex based mapping
> capability - see comment #5 - so this is why I'm using the proxy auth
> provider.

Yes, you're right, this functionality is missing from the sssd Kerberos provider. But I will file an upstream ticket to track this feature request in the sssd, I would like the proxy provider to disappear down the road:
https://fedorahosted.org/sssd/ticket/2048
Comment 15 Paolo Penzo 2013-08-20 12:44:42 EDT
It would be nice and for sure it will ease configurations like mine. However IMHO the complete removal of the auth_proxy feature will also remove some flexibility in sssd config since right now it's possible to have a complete separate PAM stack for each configured domain.
Comment 16 Jakub Hrozek 2013-08-20 13:18:43 EDT
(In reply to Paolo Penzo from comment #15)
> It would be nice and for sure it will ease configurations like mine. However
> IMHO the complete removal of the auth_proxy feature will also remove some
> flexibility in sssd config since right now it's possible to have a complete
> separate PAM stack for each configured domain.

OK, I probably phrased the previous comment wrong. It's unlikely we'll remove the proxy provider completely, but I'd like to minimize the need for it. It's still going to be valid for wrapping completely foreign PAM stacks as you noted.

Also, we haven't really commited ourselves to the regex feature yet.
Comment 17 Paolo Penzo 2013-08-23 08:50:01 EDT
Do you plan to release a new version with this patch in next days?
Comment 18 Jakub Hrozek 2013-08-23 09:49:12 EDT
(In reply to Paolo Penzo from comment #17)
> Do you plan to release a new version with this patch in next days?

I'm building the update now. Sorry for the delay, I also wanted to get (new and revised) patches for #967012 and the have been discussed on the upstream devel list still this week.
Comment 19 Paolo Penzo 2013-08-23 09:54:10 EDT
That's fine, thanks!
Comment 20 Fedora Update System 2013-08-23 10:08:08 EDT
sssd-1.11.0-0.2.beta2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sssd-1.11.0-0.2.beta2.fc19
Comment 21 Fedora Update System 2013-08-23 19:57:24 EDT
Package sssd-1.11.0-0.2.beta2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-0.2.beta2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15215/sssd-1.11.0-0.2.beta2.fc19
then log in and leave karma (feedback).
Comment 22 Fedora Update System 2013-09-11 22:03:04 EDT
sssd-1.11.0-0.2.beta2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.