[Bug 275657] security/sssd: SSSD (sssd_be) core dumps on exit
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 09 Dec 2023 14:40:59 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275657 Bug ID: 275657 Summary: security/sssd: SSSD (sssd_be) core dumps on exit Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: jhixson@FreeBSD.org Reporter: lloydsystems1@tpg.com.au Flags: maintainer-feedback?(jhixson@FreeBSD.org) Assignee: jhixson@FreeBSD.org Overview: SSSD is installed and working, connected to Active Directory (Windows Server 2016) by LDAP/Kerberos. However, SSSD core dumps (sssd_be.core) whenever the service is stopped. Steps to Reproduce: Start the SSSD service. Stop the SSSD service or shutdown the host. Actual Results: SSSD core dumps, leaving sssd_be.core file. The following entries are recorded in the various log files. /var/log/messages: <hostname> kernel: pid 63617 (sssd_be), jid 0, uid 0: exited on signal 11 (core dumped) /var/log/sssd/sssd.log: [sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating children [sssd] [monitor_quit] (0x0040): Returned with: 0 [sssd] [monitor_quit] (0x0020): Terminating [pam][63888] [sssd] [monitor_quit] (0x0020): Child [pam] exited gracefully [sssd] [monitor_quit] (0x0020): Terminating [nss][63806] [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully [sssd] [monitor_quit] (0x0020): Terminating [ad.example.com][63617] [sssd] [monitor_quit] (0x0020): Child [ad.example.com] terminated with a signal /var/log/sssd/sssd_ad.example.com.log (with debug level 9): [sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000): 0x835eabb00/0x835e1c4c0 [sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000): 0x835eabb00/0x835e1c3c0 [sssd[be[ad.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x835e88b80 [sssd[be[ad.example.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. [sssd[be[ad.example.com]]] [dp_client_destructor] (0x0400): Removed PAM client [sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000): 0x835eab240/0x835e1c840 [sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000): 0x835eab240/0x835e1c800 [sssd[be[ad.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x835e88540 [sssd[be[ad.example.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. [sssd[be[ad.example.com]]] [dp_client_destructor] (0x0400): Removed NSS client [sssd[be[ad.example.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children [sssd[be[ad.example.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/db/sss/pubconf/kpasswdinfo.AD.EXAMPLE.COM], [2][No such file or directory] [sssd[be[ad.example.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/db/sss/pubconf/kdcinfo.AD.EXAMPLE.COM], [2][No such file or directory] [sssd[be[ad.example.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/db/sss/pubconf/kpasswdinfo.AD.EXAMPLE.COM], [2][No such file or directory] [sssd[be[ad.example.com]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Smart Refresh] [sssd[be[ad.example.com]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Full Refresh] [sssd[be[ad.example.com]]] [dp_terminate_active_requests] (0x0400): Terminating active data provider requests [sssd[be[ad.example.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x835e60720], connected[1], ops[0x0], ldap[0x835e1d4b0], destructor_lock[0], release_memory[0] [sssd[be[ad.example.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. Expected Results: SSSD should exit cleanly and not core dump. Additional Information: 1. SSSD works properly when running, but core dumps on exit. 2. SSSD is installed on three FreeBSD servers and all exhibit the core dump problem. 3. I have used SSSD on RHEL/CentOS with the AD provider. However, to use the AD provider on FreeBSD requires the sssd-smb package, which installs the full samba package as a dependency. This is undesireable as it leads to a much bigger installation and exposure to Samba bugs and security issues. The SSSD AD provider does not require Samba to work; it only needs some of its shared libraries. This is a packaging issue that does not exist with RHEL/CentOS. 4. To avoid Samba, I installed the basic sssd package and changed the configuration to use LDAP/Kerberos providers. 5. The SSSD configuration (sssd.conf) is shown below with ad.example.com as the AD domain. [sssd] config_file_version = 2 services = nss, pam domains = ad.example.com debug_level = 2 # ---------- [nss] ; enum_cache_timeout = 120 ; filter_users = root ; filter_groups = root fallback_homedir = /usr/home/%H/%u default_shell = /sbin/nologin ; reconnection_retries = 3 debug_level = 3 # ---------- [pam] offline_credentials_expiration = 7 ; reconnection_retries = 3 debug_level = 3 # ---------- [domain/ad.example.com] id_provider = ldap auth_provider = krb5 access_provider = ldap ; chpass_provider = krb5 selinux_provider = none krb5_server = dc.ad.example.com krb5_realm = AD.EXAMPLE.COM krb5_use_fast = try krb5_fast_principal = bsd$@AD.EXAMPLE.COM krb5_canonicalize = false ldap_uri = ldap://dc.ad.example.com ; ldap_sasl_authid = host/dc.ad.example.com@AD.EXAMPLE.COM ldap_sasl_authid = dc$@AD.EXAMPLE.COM ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = true ldap_search_base = dc=ad,dc=example,dc=com ldap_referrals = false ldap_access_order = filter, expire ldap_access_filter = (&(objectClass=user) (primaryGroupID=513)) ldap_account_expire_policy = ad ldap_schema = ad ldap_user_object_class = user ; ldap_user_name = sAMAccountName ; ldap_user_primary_group = primaryGroupID ldap_user_gecos = displayName ldap_user_home_directory = unixHomeDirectory ; ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_group_member = member ldap_id_mapping = true homedir_substring = AD case_sensitive = preserving enumerate = true cache_credentials = true ; pwd_expiration_warning = 7 lookup_family_order = ipv4_only debug_level = 4 Software Versions: FreeBSD version 13.2-p4. sssd version 1.16.5_10 -- You are receiving this mail because: You are the assignee for the bug.