#3418 Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer
Closed: Fixed 2 years ago Opened 2 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1457644

Created attachment 1283991
SSSD Domain log file.

Description of problem:
This issue was fixed in rhel-7.3, see
https://bugzilla.redhat.com/show_bug.cgi?id=1372753.
It has resurfaced in 7.4 and is causing regression failures. Observed during
the automated regression rounds on LDAP + KRB server setup. When
access_provider = krb5 is set in sssd.conf, authentication fails for krb users
with following error in /var/log/secure:

sshd[6003]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=::1 user=testuser
sshd[6003]: pam_sss(sshd:account): Access denied for user testuser: 6
(Permission denied)
sshd[6003]: Failed password for testuser from ::1 port 34894 ssh2
sshd[6003]: fatal: Access denied for user testuser by PAM account configuration
[preauth]

Version-Release number of selected component (if applicable):
sssd-1.15.2-37.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup a 389DS LDAP server and KRB server.

2. Add a testuser to LDAP server and add the same user to KRB server. See cmd
below:
 # kadmin.local -q "addprinc -pw Secret123 testuser"

3. Setup a RHEL-7.3 SSSD client system with the following configuration:

SSSD.CONF File
--------------------------------------
[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP-KRB5

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP-KRB5]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://<LDAP_SERVER>
ldap_search_base = dc=example,dc=com
auth_provider = krb5
access_provider = krb5
krb5_server = <KRB_SERVER>
krb5_realm = EXAMPLE.COM

4. Execute user auth. (auth fails)

[root@rhel-74 sssd]# ssh -l testuser localhost
testuser@localhost's password:
Authentication failed.


5. Now comment out or remove the line "access_provider = krb5" from sssd.conf.
Clear the cache and restart sssd service.

6. Execute user auth (auth succeeds).


Actual results: User authentication failure


Expected results: Successful authentication.


Additional info:
I have attached SSSD_DOMAIN log file.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457644

2 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457644

2 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

2 years ago

Metadata Update from @lslebodn:
- Issue set to the milestone: None

2 years ago

Metadata Update from @lslebodn:
- Custom field version adjusted to 1.15.3

2 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.3
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata