Learn more about these different git repos.
Other Git URLs
I set up the following configuration (against a FreeIPA 1.2 server):
[domain/sgallagh_proxy] auth_provider = krb5 entry_cache_timeout = 30 enumerate = false id_provider = proxy proxy_lib_name = ldap krb5_kdcip = vm-094.idm.lab.bos.redhat.com krb5_realm = SGALLAGH.EXAMPLE.COM
With the following information in my ldap.conf file:
uri ldap://vm-094.idm.lab.bos.redhat.com base cn=accounts,dc=sgallagh,dc=example,dc=com ssl no
I then started the sssd, verified that it was serving user information and then attempted to perform an authentication with
ssh -l user1@sgallagh_proxy localhost
The sgallagh_proxy backend process segfaulted with the following backtrace:
(gdb) bt full #0 0x00007fa17cd8ceef in proxy_pam_handler (req=0x1b49c90) at ../../server/providers/proxy.c:139 ret = 28613496 pam_status = 0 pamh = 0x0 auth_data = 0x1b49b60 conv = {conv = 0x7fa17cd8cbac <proxy_internal_conv>, appdata_ptr = 0x1b49b60} pd = 0x1b68700 ctx = 0x0 cache_auth_data = false __FUNCTION__ = "proxy_pam_handler" #1 0x000000000040797c in be_async_req_handler (ev=0x1b35ac0, te=0x1b49120, tv={tv_sec = 0, tv_usec = 0}, pvt=0x1b68850) at ../../server/providers/data_provider_be.c:109 async_req = 0x1b68850 #2 0x0000003fbe002f25 in tevent_common_loop_timer_delay (ev=0x1b35ac0) at tevent_timed.c:254 current_time = {tv_sec = 0, tv_usec = 0} te = 0x1b49120 #3 0x0000003fbe00455b in std_event_loop_once (ev=0x1b35ac0) at tevent_standard.c:543 tval = {tv_sec = 0, tv_usec = 0} #4 0x0000003fbe0047e6 in std_event_loop_wait (ev=0x1b35ac0) at tevent_standard.c:567 std_ev = 0x1b35b60 #5 0x000000000042bd45 in server_loop (main_ctx=0x1b35be0) at ../../server/util/server.c:431 No locals. #6 0x000000000040bdd8 in main (argc=5, argv=0x7fff952c6b58) at ../../server/providers/data_provider_be.c:1150 opt = -1 pc = 0x1b34740 be_domain = 0x1b34b40 "sgallagh_proxy" srv_name = 0x1b342a0 "sssd[be[sgallagh_proxy]]" conf_entry = 0x1b34800 "config/domain/sgallagh_proxy" main_ctx = 0x1b35be0 ret = 0 long_options = {{longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x638980, val = 0, descrip = 0x42f4bf "Help options:", argDescrip = 0x0}, {longName = 0x42f4cd "debug-level", shortName = 100 'd', argInfo = 2, arg = 0x638a60, val = 0, descrip = 0x42f4d9 "Debug level", argDescrip = 0x0}, {longName = 0x42f4e5 "debug-to-files", shortName = 102 'f', argInfo = 0, arg = 0x638a68, val = 0, descrip = 0x42f4f8 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {longName = 0x42f529 "debug-timestamps", shortName = 0 '\0', argInfo = 0, arg = 0x638a64, val = 0, descrip = 0x42f53a "Add debug timestamps", argDescrip = 0x0}, {longName = 0x42f54f "domain", shortName = 0 '\0', argInfo = 1, arg = 0x7fff952c6a30, val = 0, descrip = 0x42f558 "Domain of the information provider (mandatory)", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} __FUNCTION__ = "main"
During triage, Sumit and I discovered this relevant portion of the logs during setup:
[sssd[be[sgallagh_proxy]]] [sbus_init_connection] (5): Adding connection 16595F0 [sssd[be[sgallagh_proxy]]] [sbus_add_watch] (8): 0x16583b0/0x1658ef0 (13), -/W (enabled) [sssd[be[sgallagh_proxy]]] [sbus_toggle_watch] (8): 0x16583b0/0x1658de0 (13), R/- (disabled) [sssd[be[sgallagh_proxy]]] [monitor_common_send_id] (4): Sending ID: (%BE_sgallagh_proxy,1) [sssd[be[sgallagh_proxy]]] [sbus_add_timeout] (8): 0x1659de0 [sssd] [sbus_toggle_watch] (8): 0x24f6f20/0x24f43d0 (11), R/- (disabled) [sssd] [sbus_toggle_watch] (8): 0x24f6f20/0x24f2770 (11), -/W (enabled) [sssd] [sbus_toggle_watch] (8): 0x24f6f20/0x24f43d0 (11), R/- (enabled) [sssd] [sbus_toggle_watch] (8): 0x24f6f20/0x24f2770 (11), -/W (disabled) [sssd[be[sgallagh_proxy]]] [sbus_toggle_watch] (8): 0x16583b0/0x1658de0 (13), R/- (enabled) [sssd[be[sgallagh_proxy]]] [sbus_toggle_watch] (8): 0x16583b0/0x1658ef0 (13), -/W (disabled) [sssd[be[sgallagh_proxy]]] [sbus_new_server] (3): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_sgallagh_proxy,guid=8434fada74a77c74a24b518e4afab6f5 [sssd[be[sgallagh_proxy]]] [sbus_add_watch] (8): 0x165ac80/0x165a670 (14), R/- (enabled) [sssd[be[sgallagh_proxy]]] [load_backend_module] (7): Loading backend [proxy] with path [/usr/lib64/sssd/libsss_proxy.so]. [sssd[be[sgallagh_proxy]]] [be_process_init] (9): ID backend target successfully loaded from provider [proxy]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (7): Loading backend [krb5] with path [/usr/lib64/sssd/libsss_krb5.so]. [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_kdcip has value vm-094.idm.lab.bos.redhat.com [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_realm has value SGALLAGH.EXAMPLE.COM [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_ccachedir has value /tmp [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_ccname_tmpl has value FILE:%d/krb5cc_%U_XXXXXX [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_changepw_principle has value kadmin/changepw [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_auth_timeout has value 15 [sssd[be[sgallagh_proxy]]] [be_process_init] (9): AUTH backend target successfully loaded from provider [krb5]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (5): no module name found in confdb, using [proxy]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (7): Backend [proxy] already loaded. [sssd[be[sgallagh_proxy]]] [be_process_init] (9): ACCESS backend target successfully loaded from provider [proxy]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (5): no module name found in confdb, using [krb5]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (7): Backend [krb5] already loaded. [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_kdcip has value vm-094.idm.lab.bos.redhat.com [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_realm has value SGALLAGH.EXAMPLE.COM [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_ccachedir has value /tmp [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_ccname_tmpl has value FILE:%d/krb5cc_%U_XXXXXX [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_changepw_principle has value kadmin/changepw [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_auth_timeout has value 15 [sssd[be[sgallagh_proxy]]] [be_process_init] (9): CHPASS backend target successfully loaded from provider [krb5]. [sssd[be[sgallagh_proxy]]] [main] (1): Backend provider (sgallagh_proxy) started! [sssd[be[sgallagh_proxy]]] [sbus_dispatch] (9): dbus conn: 16595F0 [sssd[be[sgallagh_proxy]]] [sbus_dispatch] (9): dbus conn: 16595F0 [sssd[be[sgallagh_proxy]]] [sbus_toggle_watch] (8): 0x16583b0/0x1658de0 (13), R/- (disabled) [sssd[be[sgallagh_proxy]]] [sbus_toggle_watch] (8): 0x16583b0/0x1658ef0 (13), -/W (enabled) [sssd[be[sgallagh_proxy]]] [sbus_toggle_watch] (8): 0x16583b0/0x1658de0 (13), R/- (enabled)
Our determination is that the segfault is being caused by the SSSD defaulting to the ID provider for the ACCESS provider if none is explicitly provided. The proxy provider can answer access requests through a custom PAM stack, but it would be unexpected to need this.
Our proposed solution here is that the default ACCESS provider should be the special "permit" provider unless otherwise specified. This default will be overridden for the IPA provider, which has its own HBAC ACCESS provider.
Fields changed
tests: 1 => 0 testsupdated: 0 => 1
Fixed in 0ec8cc5
fixedin: => 1.0.0rc resolution: => fixed status: new => closed
rhbz: => 0
Metadata Update from @sgallagh: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.0 RC
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1313
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.