View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017597 | CentOS-7 | sssd | public | 2020-07-17 09:35 | 2020-07-17 10:41 |
| Reporter | karvik.kimalane | Assigned To | |||
| Priority | high | Severity | crash | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 7.8-2003 | ||||
| Summary | 0017597: After applying latest updates SSSD with multiple LDAP back-ends crashes | ||||
| Description | After updating sssd packages to version 1.16.4-37.el7_8.3 it's no longer possible to use configuration with multiple LDAP back-ends. During startup, SSSD successfully initialises the first back-end defined in configuration, but any following back-ends are terminated with segfault dmesg: [Thu Jul 16 16:13:54 2020] sssd_be[172815]: segfault at 0 ip 00007fea26d302e2 sp 00007ffd755e19e8 error 4 in libsss_util.so[7fea26d13000+8c000] [Thu Jul 16 16:13:54 2020] Code: d0 75 07 48 83 c4 18 5b 5d c3 e8 c9 9d ff ff 66 0f 1f 84 00 00 00 00 00 48 8b 86 c0 00 00 00 48 8b 4e 08 48 8d 15 86 ad 04 00 <48> 8b 30 31 c0 e9 64 a0 ff ff 0f 1f 40 00 55 48 89 fd 31 ff 53 48 This does not happen with sssd package version 1.16.4-21.el7_7.3. With this version, configuration with multiple LDAP back-ends works correctly without any issues. | ||||
| Steps To Reproduce | Update to latest SSSD version, at least 1.16.4-37 apply configuration like this: [sssd] config_file_version = 2 services = pam,nss,ssh domains = ldap1,ldap2 debug_level = 4 [pam] debug_level = 4 offline_credentials_expiration = 1 offline_failed_login_attempts = 5 pam_pwd_expiration_warning = 7 pam_verbosity = 2 reconnection_retries = 3 [nss] debug_level = 4 default_shell = /bin/bash filter_groups = root filter_users = root override_homedir = /home/%u [ifp] user_attributes = +passwordExpires [session_recording] scope = all [domain/ldap1] debug_level = 4 id_provider = ldap access_provider = ldap auth_provider = krb5 chpass_provider = krb5 cache_credentials = true case_sensitive = false enumerate = true timeout = 30 refresh_expired_interval = 2700 entry_cache_timeout = 3600 krb5_realm = REALM1 krb5_server = dc1.dom1,dc2.dom1 min_id = 3000 ldap_default_bind_dn = <bind>> ldap_default_authtok = <auth> ldap_default_authtok_type = obfuscated_password ldap_force_upper_case_realm = true ldap_group_object_class = group ldap_schema = rfc2307bis ldap_tls_reqcert = allow ldap_uri = ldaps://dc1.dom1,ldaps://dc2.dom1 ldap_user_gecos = displayName ldap_user_home_directory = unixHomeDirectory ldap_user_modify_timestamp = pwdLastSet ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_account_expire_policy = ad ldap_access_order = filter, pwd_expire_policy_warn, expire ldap_group_nesting_level = 5 ldap_user_extra_attrs = passwordExpires:msDS-UserPasswordExpiryTimeComputed auto_private_groups = true ldap_access_filter = (|(memberOf:1.2.840.113556.1.4.1941:=<plaaplaa>)) ldap_user_search_base = <user_base> ldap_group_search_base = <group_base>?sub?(!(cn=excludeme*)) [domain/ldap2] debug_level = 4 id_provider = ldap access_provider = ldap auth_provider = krb5 chpass_provider = krb5 cache_credentials = true case_sensitive = false enumerate = true timeout = 30 refresh_expired_interval = 2700 entry_cache_timeout = 3600 krb5_realm = REALM1 krb5_server = dc1.dom2,dc2.dom2 min_id = 4000 ldap_default_bind_dn = <bind>> ldap_default_authtok = <auth> ldap_default_authtok_type = obfuscated_password ldap_force_upper_case_realm = true ldap_group_object_class = group ldap_schema = rfc2307bis ldap_tls_reqcert = allow ldap_uri = ldaps://dc1.dom2,ldaps://dc2.dom2 ldap_user_gecos = displayName ldap_user_home_directory = unixHomeDirectory ldap_user_modify_timestamp = pwdLastSet ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_account_expire_policy = ad ldap_access_order = filter, pwd_expire_policy_warn, expire ldap_group_nesting_level = 5 ldap_user_extra_attrs = passwordExpires:msDS-UserPasswordExpiryTimeComputed auto_private_groups = true ldap_access_filter = (|(memberOf:1.2.840.113556.1.4.1941:=<plaaplaa>)) ldap_user_search_base = <user_base> ldap_group_search_base = <group_base>?sub?(!(cn=excludeme*)) Restart sssd and there you have - segfault. Remove one of those defined back-ends, you can pick either one, it does not matter and this sssd version 1.16.4-37 works fine with one ldap back-end. | ||||
| Tags | No tags attached. | ||||
| abrt_hash | |||||
| URL | |||||
 |
Unfortunately I cannot verify because I do not have the same configuration but it looks like a regression. Given that CentOS is a rebuild of the sources used to create RHEL and follows it bug for bug, can you please submit your request to Redhat via bugzilla.redhat.com ? Once RH accepts fixes it and releases a corrected version, CentOS will pick it up automatically. For easier tracking, please crosslink this bug with the one opened at b.r.c. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-07-17 09:35 | karvik.kimalane | New Issue | |
| 2020-07-17 10:41 | ManuelWolfshant | Note Added: 0037376 |
