[Freeipa-users] FreeIPA (directory service) Crash several times a day

Ludwig Krispenz lkrispen at redhat.com
Tue Jul 5 08:51:06 UTC 2016 

well, this does not have more information:
#0  0x00007efe7167c4c0 in ipapwd_keyset_free () from 
/usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
No symbol table info available.
#1  0x00007efe7167c742 in ipapwd_encrypt_encode_key () from 
/usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
No symbol table info available.
#2  0x00007efe7167c9c8 in ipapwd_gen_hashes () from 
/usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
No symbol table info available.
#3  0x00007efe7167c0a7 in ipapwd_SetPassword () from 
/usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
No symbol table info available.
#4  0x00007efe7167e458 in ipapwd_pre_bind () from 
/usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
No symbol table info available.

and it looks like a bug in the ipapwd plugin, we would have to reproduce 
and work on a fix. I don't see any immediate relief unless you cannot 
prevent clients from using password containing arbitrar octets.
Please open a ticket to get this worked on: 
https://fedorahosted.org/freeipa/newticket

Ludwig

On 07/05/2016 12:07 AM, Omar AKHAM wrote:
> Ok, here is a new core file : http://pastebin.com/2cJQymHd
>
> Best regards
>
> On 2016-07-04 09:39, Ludwig Krispenz wrote:
>> On 07/03/2016 03:04 PM, Omar AKHAM wrote:
>>> Where can i find core file of ipa-server?
>> you still need to look for the core file of slapd, but IPA deploys
>> plugins for slapd and that  is why you need the debuginfo for
>> ipa-server for a better analysis of the slapd core.
>>>
>>> On 2016-07-01 13:29, Ludwig Krispenz wrote:
>>>> please keep the discussion on the mailing list
>>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote:
>>>>> Which package to install ? ipa-debuginfo?
>>>> yes
>>>>>
>>>>> 2 other crashes last night, with a different user bind this time :
>>>>>
>>>>>         rawdn = 0x7f620003a200 
>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>         dn = 0x7f62000238b0 
>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>         saslmech = 0x0
>>>>>         cred = {bv_len = 9, bv_val = 0x7f6200034af0 
>>>>> "nw_PA\250\063\065\067"}
>>>>>         be = 0x7f6254941c20
>>>>>         ber_rc = <optimized out>
>>>>>         rc = 0
>>>>>         sdn = 0x7f62000313f0
>>>>>         bind_sdn_in_pb = 1
>>>>>         referral = 0x0
>>>>>         errorbuf = '\000' <repeats 1856 times>...
>>>>>         supported = <optimized out>
>>>>>         pmech = <optimized out>
>>>>>         authtypebuf = 
>>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000
>>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ 
>>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 
>>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", 
>>>>> '\000' <repeats 14 times>, "\002\000\000\000 
>>>>> \305\363Tb\177\000\000\377\377\37
>>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", 
>>>>> '\000' <repeats 57 times>
>>>>>         bind_target_entry = 0x0
>>>>>
>>>>>
>>>>>
>>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote:
>>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote:
>>>>>>> The crash is random, sometimes the user binds without probleme, 
>>>>>>> sometimes it bind and there is the error message of ipa plugin 
>>>>>>> without dirsrv crash. But when it crashes, this user's bind is 
>>>>>>> found in the new generated core file!
>>>>>> ok, so the user might try or use different passwords. it could be
>>>>>> helpful if you can install the debuginfo for the ipa-server package
>>>>>> and get a new stack. Please post it to teh list, you can XXXXX the
>>>>>> credentials in the core, although I think they will not be proper
>>>>>> credentials.
>>>>>>
>>>>>> Ludwig
>>>>>>>
>>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote:
>>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote:
>>>>>>>>>
>>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Please find strace on a core file : http://pastebin.com/v9cUzau4
>>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop,
>>>>>>>>> to get a better stack you would have to install also the 
>>>>>>>>> debuginfo for ipa-server.
>>>>>>>> but tje stack matches the error messages you have seen
>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file
>>>>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid
>>>>>>>> argument]
>>>>>>>>     [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
>>>>>>>> encoding.c,
>>>>>>>> line 225]: key encryption/encoding failed
>>>>>>>> they are from the function sin the call stack.
>>>>>>>>
>>>>>>>> Looks like the user has a password with a \351 char:
>>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"}
>>>>>>>>
>>>>>>>> does the crash always happen with a bind from this user ?
>>>>>>>>
>>>>>>>>> and then someone familiar with this plugin should look into it
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote:
>>>>>>>>>>> can you get a core file ?
>>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote:
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> The Directory Services crashes several times a day. It's 
>>>>>>>>>>>> installed on CentOS 7 VM :
>>>>>>>>>>>>
>>>>>>>>>>>> Installed Packages
>>>>>>>>>>>> Name        : ipa-server
>>>>>>>>>>>> Arch        : x86_64
>>>>>>>>>>>> Version     : 4.2.0
>>>>>>>>>>>>
>>>>>>>>>>>> # ipactl status
>>>>>>>>>>>> Directory Service: STOPPED
>>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Before each crash, I have these messages in 
>>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors :
>>>>>>>>>>>>
>>>>>>>>>>>>     [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key 
>>>>>>>>>>>> - [file encoding.c, line 171]: generating kerberos keys 
>>>>>>>>>>>> failed [Invalid argument]
>>>>>>>>>>>>     [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
>>>>>>>>>>>> encoding.c, line 225]: key encryption/encoding failed
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Any help?
>>>>>>>>>>>> Best regards
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: 
>>>>>>>>>>> Grasbrunn,
>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, 
>>>>>>>>>>> Michael
>>>>>>>>>>> O'Neill, Eric Shander
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: 
>>>>>>>> Grasbrunn,
>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael
>>>>>>>> O'Neill, Eric Shander

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

More information about the Freeipa-users mailing list