View Issue Details

IDProjectCategoryView StatusLast Update
0017597CentOS-7sssdpublic2020-07-17 10:41
Reporterkarvik.kimalane 
PriorityhighSeveritycrashReproducibilityalways
Status newResolutionopen 
Product Version7.8-2003 
Target VersionFixed in Version 
Summary0017597: After applying latest updates SSSD with multiple LDAP back-ends crashes
DescriptionAfter updating sssd packages to version 1.16.4-37.el7_8.3 it's no longer possible to use configuration with multiple LDAP back-ends. During startup, SSSD successfully initialises the first back-end defined in configuration, but any following back-ends are terminated with segfault

dmesg:
[Thu Jul 16 16:13:54 2020] sssd_be[172815]: segfault at 0 ip 00007fea26d302e2 sp 00007ffd755e19e8 error 4 in libsss_util.so[7fea26d13000+8c000]
[Thu Jul 16 16:13:54 2020] Code: d0 75 07 48 83 c4 18 5b 5d c3 e8 c9 9d ff ff 66 0f 1f 84 00 00 00 00 00 48 8b 86 c0 00 00 00 48 8b 4e 08 48 8d 15 86 ad 04 00 <48> 8b 30 31 c0 e9 64 a0 ff ff 0f 1f 40 00 55 48 89 fd 31 ff 53 48

This does not happen with sssd package version 1.16.4-21.el7_7.3. With this version, configuration with multiple LDAP back-ends works correctly without any issues.
Steps To ReproduceUpdate to latest SSSD version, at least 1.16.4-37

apply configuration like this:

[sssd]
config_file_version = 2
services = pam,nss,ssh
domains = ldap1,ldap2
debug_level = 4

[pam]
debug_level = 4
offline_credentials_expiration = 1
offline_failed_login_attempts = 5
pam_pwd_expiration_warning = 7
pam_verbosity = 2
reconnection_retries = 3

[nss]
debug_level = 4
default_shell = /bin/bash
filter_groups = root
filter_users = root
override_homedir = /home/%u

[ifp]
user_attributes = +passwordExpires

[session_recording]
scope = all

[domain/ldap1]
debug_level = 4
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = true
case_sensitive = false
enumerate = true
timeout = 30
refresh_expired_interval = 2700
entry_cache_timeout = 3600
krb5_realm = REALM1
krb5_server = dc1.dom1,dc2.dom1
min_id = 3000
ldap_default_bind_dn = <bind>>
ldap_default_authtok = <auth>
ldap_default_authtok_type = obfuscated_password
ldap_force_upper_case_realm = true
ldap_group_object_class = group
ldap_schema = rfc2307bis
ldap_tls_reqcert = allow
ldap_uri = ldaps://dc1.dom1,ldaps://dc2.dom1
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_modify_timestamp = pwdLastSet
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_account_expire_policy = ad
ldap_access_order = filter, pwd_expire_policy_warn, expire
ldap_group_nesting_level = 5
ldap_user_extra_attrs = passwordExpires:msDS-UserPasswordExpiryTimeComputed
auto_private_groups = true
ldap_access_filter = (|(memberOf:1.2.840.113556.1.4.1941:=<plaaplaa>))
ldap_user_search_base = <user_base>
ldap_group_search_base = <group_base>?sub?(!(cn=excludeme*))

[domain/ldap2]
debug_level = 4
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = true
case_sensitive = false
enumerate = true
timeout = 30
refresh_expired_interval = 2700
entry_cache_timeout = 3600
krb5_realm = REALM1
krb5_server = dc1.dom2,dc2.dom2
min_id = 4000
ldap_default_bind_dn = <bind>>
ldap_default_authtok = <auth>
ldap_default_authtok_type = obfuscated_password
ldap_force_upper_case_realm = true
ldap_group_object_class = group
ldap_schema = rfc2307bis
ldap_tls_reqcert = allow
ldap_uri = ldaps://dc1.dom2,ldaps://dc2.dom2
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_modify_timestamp = pwdLastSet
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_account_expire_policy = ad
ldap_access_order = filter, pwd_expire_policy_warn, expire
ldap_group_nesting_level = 5
ldap_user_extra_attrs = passwordExpires:msDS-UserPasswordExpiryTimeComputed
auto_private_groups = true
ldap_access_filter = (|(memberOf:1.2.840.113556.1.4.1941:=<plaaplaa>))
ldap_user_search_base = <user_base>
ldap_group_search_base = <group_base>?sub?(!(cn=excludeme*))

Restart sssd and there you have - segfault.
Remove one of those defined back-ends, you can pick either one, it does not matter and this sssd version 1.16.4-37 works fine with one ldap back-end.
TagsNo tags attached.
abrt_hash
URL

Activities

ManuelWolfshant

ManuelWolfshant

2020-07-17 10:41

manager   ~0037376

Unfortunately I cannot verify because I do not have the same configuration but it looks like a regression. Given that CentOS is a rebuild of the sources used to create RHEL and follows it bug for bug, can you please submit your request to Redhat via bugzilla.redhat.com ? Once RH accepts fixes it and releases a corrected version, CentOS will pick it up automatically.
For easier tracking, please crosslink this bug with the one opened at b.r.c.

Issue History

Date Modified Username Field Change
2020-07-17 09:35 karvik.kimalane New Issue
2020-07-17 10:41 ManuelWolfshant Note Added: 0037376