[Bug 275657] security/sssd: SSSD (sssd_be) core dumps on exit

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 09 Dec 2023 14:40:59 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275657

            Bug ID: 275657
           Summary: security/sssd: SSSD (sssd_be) core dumps on exit
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: jhixson@FreeBSD.org
          Reporter: lloydsystems1@tpg.com.au
             Flags: maintainer-feedback?(jhixson@FreeBSD.org)
          Assignee: jhixson@FreeBSD.org

Overview:
SSSD is installed and working, connected to Active Directory (Windows Server
2016) by LDAP/Kerberos. However, SSSD core dumps (sssd_be.core) whenever the
service is stopped.


Steps to Reproduce:
Start the SSSD service.
Stop the SSSD service or shutdown the host.


Actual Results:
SSSD core dumps, leaving sssd_be.core file.
The following entries are recorded in the various log files.

/var/log/messages:
<hostname> kernel: pid 63617 (sssd_be), jid 0, uid 0: exited on signal 11 (core
dumped)

/var/log/sssd/sssd.log:
[sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating
children
[sssd] [monitor_quit] (0x0040): Returned with: 0
[sssd] [monitor_quit] (0x0020): Terminating [pam][63888]
[sssd] [monitor_quit] (0x0020): Child [pam] exited gracefully
[sssd] [monitor_quit] (0x0020): Terminating [nss][63806]
[sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully
[sssd] [monitor_quit] (0x0020): Terminating [ad.example.com][63617]
[sssd] [monitor_quit] (0x0020): Child [ad.example.com] terminated with a signal

/var/log/sssd/sssd_ad.example.com.log (with debug level 9):
[sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000):
0x835eabb00/0x835e1c4c0
[sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000):
0x835eabb00/0x835e1c3c0
[sssd[be[ad.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x835e88b80
[sssd[be[ad.example.com]]] [sbus_dispatch] (0x0080): Connection is not open for
dispatching.
[sssd[be[ad.example.com]]] [dp_client_destructor] (0x0400): Removed PAM client
[sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000):
0x835eab240/0x835e1c840
[sssd[be[ad.example.com]]] [sbus_remove_watch] (0x2000):
0x835eab240/0x835e1c800
[sssd[be[ad.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x835e88540
[sssd[be[ad.example.com]]] [sbus_dispatch] (0x0080): Connection is not open for
dispatching.
[sssd[be[ad.example.com]]] [dp_client_destructor] (0x0400): Removed NSS client
[sssd[be[ad.example.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing
children
[sssd[be[ad.example.com]]] [remove_krb5_info_files] (0x0200): Could not remove
[/var/db/sss/pubconf/kpasswdinfo.AD.EXAMPLE.COM], [2][No such file or
directory]
[sssd[be[ad.example.com]]] [remove_krb5_info_files] (0x0200): Could not remove
[/var/db/sss/pubconf/kdcinfo.AD.EXAMPLE.COM], [2][No such file or directory]
[sssd[be[ad.example.com]]] [remove_krb5_info_files] (0x0200): Could not remove
[/var/db/sss/pubconf/kpasswdinfo.AD.EXAMPLE.COM], [2][No such file or
directory]
[sssd[be[ad.example.com]]] [be_ptask_destructor] (0x0400): Terminating periodic
task [SUDO Smart Refresh]
[sssd[be[ad.example.com]]] [be_ptask_destructor] (0x0400): Terminating periodic
task [SUDO Full Refresh]
[sssd[be[ad.example.com]]] [dp_terminate_active_requests] (0x0400): Terminating
active data provider requests
[sssd[be[ad.example.com]]] [sdap_handle_release] (0x2000): Trace:
sh[0x835e60720], connected[1], ops[0x0], ldap[0x835e1d4b0], destructor_lock[0],
release_memory[0]
[sssd[be[ad.example.com]]] [remove_connection_callback] (0x4000): Successfully
removed connection callback.


Expected Results:
SSSD should exit cleanly and not core dump.


Additional Information:
1. SSSD works properly when running, but core dumps on exit.
2. SSSD is installed on three FreeBSD servers and all exhibit the core dump
problem.
3. I have used SSSD on RHEL/CentOS with the AD provider. However, to use the AD
provider on FreeBSD requires the sssd-smb package, which installs the full
samba package as a dependency. This is undesireable as it leads to a much
bigger installation and exposure to Samba bugs and security issues. The SSSD AD
provider does not require Samba to work; it only needs some of its shared
libraries. This is a packaging issue that does not exist with RHEL/CentOS.
4. To avoid Samba, I installed the basic sssd package and changed the
configuration to use LDAP/Kerberos providers.
5. The SSSD configuration (sssd.conf) is shown below with ad.example.com as the
AD domain.

[sssd]
config_file_version = 2
services = nss, pam
domains = ad.example.com
debug_level = 2
# ----------
[nss]
; enum_cache_timeout = 120
; filter_users = root
; filter_groups = root
fallback_homedir = /usr/home/%H/%u
default_shell = /sbin/nologin
; reconnection_retries = 3
debug_level = 3
# ----------
[pam]
offline_credentials_expiration = 7
; reconnection_retries = 3
debug_level = 3
# ----------
[domain/ad.example.com]
id_provider = ldap
auth_provider = krb5
access_provider = ldap
; chpass_provider = krb5
selinux_provider = none
krb5_server = dc.ad.example.com
krb5_realm = AD.EXAMPLE.COM
krb5_use_fast = try
krb5_fast_principal = bsd$@AD.EXAMPLE.COM
krb5_canonicalize = false
ldap_uri = ldap://dc.ad.example.com
; ldap_sasl_authid = host/dc.ad.example.com@AD.EXAMPLE.COM
ldap_sasl_authid = dc$@AD.EXAMPLE.COM
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = true
ldap_search_base = dc=ad,dc=example,dc=com
ldap_referrals = false
ldap_access_order = filter, expire
ldap_access_filter = (&(objectClass=user) (primaryGroupID=513))
ldap_account_expire_policy = ad
ldap_schema = ad
ldap_user_object_class = user
; ldap_user_name = sAMAccountName
; ldap_user_primary_group = primaryGroupID
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
; ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_member = member
ldap_id_mapping = true
homedir_substring = AD
case_sensitive = preserving
enumerate = true
cache_credentials = true
; pwd_expiration_warning = 7
lookup_family_order = ipv4_only
debug_level = 4


Software Versions:
FreeBSD version 13.2-p4.
sssd version    1.16.5_10

-- 
You are receiving this mail because:
You are the assignee for the bug.