#2447 AD Provider crashes when looking up the "Domain Users" group
Closed: Fixed None Opened 6 years ago by sgallagh.

I spent several hours today tracking this down. It's very easy to reproduce: simply stand up a single AD domain with one or more users. I didn't add them to any non-default groups, so Domain Users should be the only one they belong to.

Then run

getent group "Domain Users@windows.domain"

and it will crash with a NULL-dereference:

#0  0x00007f3c6fa0ba07 in sysdb_group_dn (mem_ctx=0x7f3c7168a190, dom=0x7f3c71625110, name=<optimized out>) at src/db/sysdb.c:187
        ret = <optimized out>
        clean_name = 0x7f3c71689550 "Domain Users"
        dn = <optimized out>
#1  0x00007f3c6fa0fc0a in sysdb_search_group_by_name (mem_ctx=0x7f3c71672c20, domain=0x7f3c71625110, name=0x7f3c7168a300 "Domain Users", 
    attrs=0x7f3c6fc4e020 <src_attrs>, msg=0x7fff61282a10) at src/db/sysdb_ops.c:524
        tmp_ctx = 0x7f3c7168a190
        def_attrs = {0x7f3c6fa36806 "name", 0x7f3c6fa377cf "gidNumber", 0x0}
        msgs = 0x0
        basedn = 0x0
        msgs_count = 0
        ret = 1875173408
        __FUNCTION__ = "sysdb_search_group_by_name"
#2  0x00007f3c6fa1401a in sysdb_store_group (domain=0x7f3c71625110, name=0x7f3c7168a300 "Domain Users", gid=1872980432, attrs=0x7f3c71664410, 
    cache_timeout=139897576952848, now=1411517599) at src/db/sysdb_ops.c:2028
        tmp_ctx = 0x7f3c71672c20
        src_attrs = {0x7f3c6fa36806 "name", 0x7f3c6fa377cf "gidNumber", 0x7f3c6fa3824e "originalModifyTimestamp", 0x0}
        msg = 0x7f3c7168a110
        new_group = 13
        ret = 12
        __FUNCTION__ = "sysdb_store_group"
#3  0x00007f3c61219f05 in sdap_store_group_with_gid (now=<optimized out>, posix_group=<optimized out>, cache_timeout=<optimized out>, 
    group_attrs=<optimized out>, gid=<optimized out>, name=<optimized out>, domain=<optimized out>) at src/providers/ldap/sdap_async_groups.c:365
No locals.
#4  sdap_save_group (now=<optimized out>, _usn_value=<optimized out>, ghosts=<optimized out>, store_original_member=<optimized out>, 
    populate_members=<optimized out>, attrs=<optimized out>, dom=<optimized out>, opts=<optimized out>, memctx=<optimized out>)
    at src/providers/ldap/sdap_async_groups.c:756
        gid = 1501400513
        tmpctx = 0x7f3c71673130
        use_id_mapping = false
        ad_group_type = -2147483646
        group_name = 0x7f3c7168a300 "Domain Users"
        el = 0x7f3c7168a150
        posix_group = true
        sid_str = 0x7f3c716771e0 "S-1-5-21-2358827345-190803116-1095511743-513"
#5  sdap_save_groups (memctx=0x7f3c7168a190, sysdb=0x7f3c71672c20, dom=0x7f3c6fa369d0, opts=0x7f3c7164ca50, groups=0x7f3c71611410, num_groups=1, 
    populate_members=false, ghosts=0x0, save_orig_member=true, _usn_value=0x7f3c71677860) at src/providers/ldap/sdap_async_groups.c:944
        ret = 1902588208
        sret = 0
        __FUNCTION__ = "sdap_save_groups"

The issue is that {{{dom->sysdb}}} is NULL:

(gdb) print *dom
$2 = {name = 0x7f3c71611410 "default", conn_name = 0x7f3c71611410 "default", provider = 0x7f3c71611480 "ldap", timeout = 0, enumerate = false, 
  sd_enumerate = 0x7f3c71628120, fqnames = false, mpg = false, ignore_group_members = true, id_min = 1, id_max = 0, cache_credentials = true, 
  legacy_passwords = false, case_sensitive = true, case_preserve = true, override_gid = 0, override_homedir = 0x7f3c71611810 "/home/%u", 
  fallback_homedir = 0x0, subdomain_homedir = 0x7f3c7160f250 "/home/%d/%u", homedir_substr = 0x0, override_shell = 0x0, default_shell = 0x0, 
  user_timeout = 5400, group_timeout = 5400, netgroup_timeout = 5400, service_timeout = 5400, autofsmap_timeout = 5400, sudo_timeout = 5400, 
  ssh_host_timeout = 5400, refresh_expired_interval = 0, subdomain_refresh_interval = 14400, pwd_expiration_warning = -1, sysdb = 0x0, names = 0x0, 
  parent = 0x0, subdomains = 0x0, realm = 0x0, flat_name = 0x0, domain_id = 0x0, forest = 0x0, subdomains_last_checked = {tv_sec = 0, tv_usec = 0}, 
  prev = 0x0, next = 0x7f3c71625b80, disabled = false}

I ran a {{{git bisect}}} until I discovered that the bug was caused by git commit b12e250

I will look into this further, but I'm opening a ticket to track it.

For more detail, we discovered that this bug only happens when the AD provider is not the first domain in the set of active domains.

My configuration had the first domain as id_provider = ldap and the second as id_provider = ad, which made this bug trivially reproducible.

Fixed by a2147c6

resolution: => fixed
status: new => closed

Thanks for marking the ticket as fixed, I meant to ask you if some other patches are needed and apparently this means "no" :-)

mark: => 0
milestone: NEEDS_TRIAGE => SSSD 1.12.2

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue marked as depending on: #2345
- Issue set to the milestone: SSSD 1.12.2

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3489

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.