After a recent upgrade of my system, sssd died during startup with SIGBUS. This happens with our (realm specific) configuration. When using the default configuration, it just prints that it needs at least one configured domain, and exits. The crash happens due to a memory corruption in realloc(), so the actual cause of the bug must be before that. I tracked the memory corruption down (using a watchpoint in the debugger) to: (gdb) bt #0 0x00000000812bb50d in memcpy () from /lib/libc.so.7 #1 0x0000000081218df9 in ?? () from /lib/libc.so.7 #2 0x000000008121fabb in realloc () from /lib/libc.so.7 #3 0x0000000080371da4 in _talloc_realloc (context=<optimized out>, ptr=0x819d5100, size=18, name=0x802714ba "char") at ../../talloc.c:2040 #4 0x000000008027d188 in prepend_cn (str=<optimized out>, comp=<optimized out>, clen=4, slen=<optimized out>) at src/confdb/confdb.c:47 #5 parse_section (mem_ctx=0x819a34a0, section=0x203aaf "sssd", sec_dn=0x7fffffffe4e0, rdn_name=0x0) at src/confdb/confdb.c:85 #6 0x000000008027d631 in confdb_get_param (cdb=0x821c3460, mem_ctx=0x819e8060, section=0x203aa8 "config/sssd", attribute=0x204f84 "krb5_rcache_dir", values=0x7fffffffe558) at src/confdb/confdb.c:240 #7 0x000000008027da90 in confdb_get_string (cdb=0x821c3460, ctx=0x819e8060, section=0x203aa8 "config/sssd", attribute=0x204f84 "krb5_rcache_dir", defstr=0x20446d "__LIBKRB5_DEFAULTS__", result=0x7fffffffe5a8) at src/confdb/confdb.c:381 #8 0x0000000000208193 in monitor_process_init (ctx=0x819e8060, config_file=<optimized out>) at src/monitor/monitor.c:2123 #9 0x0000000000209dfa in main (argc=<optimized out>, argv=<optimized out>) at src/monitor/monitor.c:2868 If I back out r545276, it at least starts without crashing. I don't think it works as designed completely, e.g. I'm being asked for a password, rather than ssh using the pubkey stored on the IPA server. But at least, I can log in at all.
Can you retry this with version 1.16.5 which was committed in r555585 ?
Will take a moment, the entire machine (which runs in a VM on a larger server host) has just accidentally been damaged, and needs to be reinstalled from scratch. :(
(In reply to Rene Ladan from comment #1) It references Samba 4.10 which has been dropped from the tree due to (apparently unfixable) security issues. When I move the references to Samba 4.12 (port samba412), I get compile errors: libtool: compile: cc -DHAVE_CONFIG_H -I. -Wall -I.. -I./src/sss_client -I./src -I. -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/dbus-1.0 -I/usr/local/lib/dbus-1.0/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -DLIBDIR=\"/usr/local/lib\" -DVARDIR=\"/var\" -DSSS_STATEDIR=\"/var/db/sss\" -DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\" -DSSSDDATADIR=\"/usr/local/share/sssd/sssd\" -DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\" -DSSSD_CONF_DIR=\"/usr/local/etc/sssd\" -DSSS_NSS_MCACHE_DIR=\"/var/db/sss/mc\" -DSSS_NSS_SOCKET_NAME=\"/var/run/sss/pipes/nss\" -DSSS_PAM_SOCKET_NAME=\"/var/run/sss/pipes/pam\" -DSSS_PAC_SOCKET_NAME=\"/var/run/sss/pipes/pac\" -DSSS_PAM_PRIV_SOCKET_NAME=\"/var/run/sss/pipes/private/pam\" -DSSS_SEC_SOCKET_NAME=\"/var/run/secrets.socket\" -DSSS_SUDO_SOCKET_NAME=\"/var/run/sss/pipes/sudo\" -DSSS_AUTOFS_SOCKET_NAME=\"/var/run/sss/pipes/autofs\" -DSSS_SSH_SOCKET_NAME=\"/var/run/sss/pipes/ssh\" -DLOCALEDIR=\"/usr/local/share/locale\" -DBASE_FILE_STEM=\"libsss_ad_la-ad_srv\" -DLIBICONV_PLUG -I/usr/local/include -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/samba4 -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/local/include -I/usr/local/include/samba4 -I/usr/local/include -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/local/include/samba4 -O2 -pipe -fstack-protector-all -DLIBICONV_PLUG -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -MT src/providers/ad/libsss_ad_la-ad_srv.lo -MD -MP -MF src/providers/ad/.deps/libsss_ad_la-ad_srv.Tpo -c src/providers/ad/ad_srv.c -fPIC -DPIC -o src/providers/ad/.libs/libsss_ad_la-ad_srv.o src/providers/ad/ad_gpo_ndr.c:108:13: error: implicit declaration of function 'ndr_pull_get_switch_value' is invalid in C99 [-Werror,-Wimplicit-function-declaration] level = ndr_pull_get_switch_value(ndr, r); ^ src/providers/ad/ad_gpo_ndr.c:108:13: note: did you mean 'ndr_pull_set_switch_value'? /usr/local/include/samba4/ndr.h:617:19: note: 'ndr_pull_set_switch_value' declared here enum ndr_err_code ndr_pull_set_switch_value(struct ndr_pull *ndr, const void *p, uint32_t val); ^ src/providers/ad/ad_gpo_ndr.c:138:13: error: implicit declaration of function 'ndr_pull_get_switch_value' is invalid in C99 [-Werror,-Wimplicit-function-declaration] level = ndr_pull_get_switch_value(ndr, r); ^ src/providers/ad/ad_gpo_ndr.c:201:13: error: implicit declaration of function 'ndr_pull_get_switch_value' is invalid in C99 [-Werror,-Wimplicit-function-declaration] level = ndr_pull_get_switch_value(ndr, r); ^ 3 errors generated. Apparently, Samba changes APIs occasionally ...
After reactivating samba-410, I get this one again: root@daemon:/usr/ports/security/sssd # make install ===> Installing for sssd-1.16.5 ===> Checking if sssd is already installed ===> Registering installation for sssd-1.16.5 pkg-static: Unable to access file /usr/ports/security/sssd/work/stage/usr/local/lib/krb5/plugins/authdata/sssd_pac_plugin.so:No such file or directory pkg-static: Unable to access file /usr/ports/security/sssd/work/stage/usr/local/libexec/sssd/sssd_pac:No such file or directory *** Error code 74 Stop. make[1]: stopped in /usr/ports/security/sssd *** Error code 1 Stop. make: stopped in /usr/ports/security/sssd Investigating …
Thanks for the updates Joerg - it will be the weekend before I get a chance to look at these ... hope someone else beats me to it ;-) How are you building Samba ? It was the case that one needed to build Samba with SAMBA4_BUNDLED_LDB=no so you could install a common ldb for sssd and samba .. I need to check if that's still true for samba412.
(In reply to Joerg Wunsch from comment #4) Strange, it built fine in my poudriere jail using the default Samba version (4.12 I guess) on 12.2 amd64/i386. Aha, that is without the SMB option by default, which now points to net/samba410 which expired on 2020-11-08 and was removed then too. So the port Makefile is not correct at the moment :(
The point here is: configuring for Samba is crucial when trying to connect to an IPA server (which is the case for me). The symptom with the missing sssd_pac stuff is the same as three revisions before, when there was a mismatch between the krb5 versions. However, I currently don't have the time to deeply investigate the details. If nobody else does, I'll try digging further as time permits. At the very least, I'm more than happy that the port is no longer set for expiry due to the Python2.7 reference.
Created attachment 220051 [details] Patch to security/sssd 1.16.5 with samba412 and option SMB This compiles for me with (the now default) net/samba412 and the security/sssd option SMB set. I needed to compile samba412 with SAMBA4_BUNDLED_LDB=no otherwise databases/ldb21 and samba412 both try to install /usr/local/lib/python3.7/site-packages/_ldb_text.py This patch uses a fix from up-stream for the missing ndr_pull_get_switch_value() replacing it with ndr_token_peek(). Also adds Kerberos 1.18 to allowed versions. Please test and comment.
Many thanks for the update. Builds and installs fine with Samba 4.12. I'll test re-integration of that machine into the IPA soon, and will report here.
(In reply to Joerg Wunsch from comment #9) It also still builds fine with the default options on 12.2-amd64. Is there a reason to mention all these Samba LIB_DEPENDS or can we just depend on the package once (or just one Samba library)?
(In reply to Rene Ladan from comment #10) Looking at samba412's Makefile I don't think those libraries are dependent on any of samba's options, so I would assume they can be reduced to just: SMB_LIB_DEPENDS= libsamba-util.so.0:net/samba412 Will run some test builds.
We reintegrated our host into the IPA, and it appears to work now. Thanks to everybody involved! Only thing: at start of sssd, I eventually get a SIGSEGV on sssd_be, dumping core. Strangely enough, afterwards sssd_be is actually running nevertheless.
I committed the patch after the compulsory two-week maintainer timeout, thanks for all the work.
A commit references this bug: Author: rene Date: Sat Dec 12 14:56:47 UTC 2020 New revision: 557829 URL: https://svnweb.freebsd.org/changeset/ports/557829 Log: devel/sssd: fix SMB option - use Samba 4.12 instead of the removed Samba 4.10 - use ldb 2.1 instead of ldb 2.0 While here, recognize Kerberos 1.18 PR: 250864 Submitted by: joerg (patch by Richard Frewin) Approved by: maintainer timeout (14 days) Changes: head/security/sssd/Makefile head/security/sssd/files/patch-src__external__pac_responder.m4 head/security/sssd/files/patch-src__providers__ad__ad_gpo_ndr.c
A commit references this bug: Author: rene Date: Sat Dec 12 15:09:20 UTC 2020 New revision: 557830 URL: https://svnweb.freebsd.org/changeset/ports/557830 Log: MFH: r555585 r557829 security/sssd: update to 1.16.5 This fixes several security vulnerabilities and unexpires the port because it moves to Python 3. PR: 241347 Submitted by: lukas.slebodnik@intrak.sk (initial patch) Security: CVE-2018-16838 Security: CVE-2019-3811 security/sssd: fix SMB option - use Samba 4.12 instead of the removed Samba 4.10 - use ldb 2.1 instead of ldb 2.0 While here, recognize Kerberos 1.18 PR: 250864 Submitted by: joerg (patch by Richard Frewin) Approved by: maintainer timeout (14 days) Changes: _U branches/2020Q4/ branches/2020Q4/security/sssd/Makefile branches/2020Q4/security/sssd/distinfo branches/2020Q4/security/sssd/files/patch-Makefile.am branches/2020Q4/security/sssd/files/patch-configure.ac branches/2020Q4/security/sssd/files/patch-src-monitor-monitor.c branches/2020Q4/security/sssd/files/patch-src__confdb__confdb.c branches/2020Q4/security/sssd/files/patch-src__external__inotify.m4 branches/2020Q4/security/sssd/files/patch-src__external__krb5.m4 branches/2020Q4/security/sssd/files/patch-src__external__ldap.m4 branches/2020Q4/security/sssd/files/patch-src__external__pac_responder.m4 branches/2020Q4/security/sssd/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h branches/2020Q4/security/sssd/files/patch-src__providers__ad__ad_common.c branches/2020Q4/security/sssd/files/patch-src__providers__ad__ad_gpo_ndr.c branches/2020Q4/security/sssd/files/patch-src__providers__ad__ad_pac.h branches/2020Q4/security/sssd/files/patch-src__providers__data_provider_fo.c branches/2020Q4/security/sssd/files/patch-src__providers__ipa__ipa_common.c branches/2020Q4/security/sssd/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c branches/2020Q4/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__ldap_auth.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__ldap_child.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__sdap_access.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__sdap_async_groups.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups_ad.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c branches/2020Q4/security/sssd/files/patch-src__providers__ldap__sdap_async_users.c branches/2020Q4/security/sssd/files/patch-src__resolv__async_resolv_utils.c branches/2020Q4/security/sssd/files/patch-src__sbus__sbus_codegen branches/2020Q4/security/sssd/files/patch-src__sss_client__common.c branches/2020Q4/security/sssd/files/patch-src__sss_client__nss_group.c branches/2020Q4/security/sssd/files/patch-src__sss_client__pam_sss.c branches/2020Q4/security/sssd/files/patch-src__sss_client__sss_nss.exports branches/2020Q4/security/sssd/files/patch-src__tests__cmocka__test_authtok.c branches/2020Q4/security/sssd/files/patch-src__tests__cmocka__test_pam_srv.c branches/2020Q4/security/sssd/files/patch-src__tests__cwrap__test_responder_common.c branches/2020Q4/security/sssd/files/patch-src__tests__cwrap__test_server.c branches/2020Q4/security/sssd/files/patch-src__tests__dlopen-tests.c branches/2020Q4/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c branches/2020Q4/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c branches/2020Q4/security/sssd/files/patch-src__util__find_uid.c branches/2020Q4/security/sssd/files/patch-src__util__nss_dl_load.c branches/2020Q4/security/sssd/files/patch-src__util__server.c branches/2020Q4/security/sssd/files/patch-src__util__signal.c branches/2020Q4/security/sssd/files/patch-src__util__sss_endian.h branches/2020Q4/security/sssd/files/patch-src__util__sss_krb5.c branches/2020Q4/security/sssd/files/patch-src__util__sss_ldap.c branches/2020Q4/security/sssd/files/patch-src__util__sss_sockets.c branches/2020Q4/security/sssd/files/patch-src__util__util.c branches/2020Q4/security/sssd/files/patch-src__util__util.h branches/2020Q4/security/sssd/files/patch-src_external_pac__responder.m4 branches/2020Q4/security/sssd/files/pkg-message.in branches/2020Q4/security/sssd/files/sssd.in branches/2020Q4/security/sssd/pkg-plist