Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=798655 (Red Hat Enterprise Linux 6)
Description of problem: I'm not sure if this is a bug in the kernel or an issue with sssd, but the problem is exhibited in sssd, so I'm starting there. Please reassign as necessary. When I log into a system using a password with kerberos auth, it will succeed on the first attempt, but fail on subsequent attempts (once a ccache entry exists). It fails in get_uid_from_pid (find_uid.c), more specifically when calling strtouint32(), while looping through processes checking Uid in /proc/<pid>/status and encounters a UID of -1. num = strtouint32(p, &endptr, 10); error = errno; if (error != 0) { DEBUG(1, ("strtol failed [%s].\n", strerror(error))); return error; } (Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [get_uid_from_pid] (1): strtol failed [Numerical result out of range]. (Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [get_active_uid_linux] (1): get_uid_from_pid failed. (Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [check_if_uid_is_active] (1): get_uid_table failed. (Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [check_if_ccache_file_is_used] (1): check_if_uid_is_active failed. (Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed. It's encountering a Uid of -1 because an nrpe process is defaulting to the UID of (2^32 - 1), which as far as I can tell is a perfectly acceptable UID since it's in the unsigned 32 range. With a UID of 4294967295, /proc/<pid>/status is showing -1, instead of 4294967295. [root@host tmp]$ ps -ef | grep nrpe 4294967295 32590 1 0 Feb28 ? 00:00:01 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d [root@host tmp]$ grep ^Uid /proc/32590/status Uid: -1 -1 -1 -1 Version-Release number of selected component (if applicable): kernel-2.6.32-220.el6.x86_64 sssd-1.5.1-66.el6_2.3.x86_64 How reproducible: Steps to Reproduce: 1. Run a process with a UID of 2^32-1 2. While using kerberos for authentication, login to the host twice Actual results: Login fails. Expected results: Login succeeds.
Ok, the problem here is that SSSD assumes that PIDs are unsigned 32-bit integers, but the standard type of pid_t is actually a signed 32-bit integer.
What's happening is that we're using strtoul32() which internally converts the string to a signed long long and then checks that it's > 0.
Apparently we were working under a faulty assumption that UIDs were guaranteed to be positive. I'll switch this conversion to use strtol32() instead of strtoul32() (and then cast it to uint32_t after this).
blockedby: => blocking: => coverity: => feature_milestone: => owner: somebody => sgallagh patch: => 0 status: new => assigned tests: => 0 testsupdated: => 0 upgrade: => 0
Fixed by: - 55fcd37 (master) - f5df473 (sssd-1-8)
resolution: => fixed status: assigned => closed
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1203769 (Red Hat Enterprise Linux 5)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=798655 798655] => [https://bugzilla.redhat.com/show_bug.cgi?id=798655 798655], [https://bugzilla.redhat.com/show_bug.cgi?id=1203769 1203769]
Metadata Update from @sgallagh: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.8.1 (LTM)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2258
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.