[Freeipa-users] FreeIPA (directory service) Crash several times a day

Omar AKHAM dev at mdfive.dz
Tue Jul 5 10:08:51 UTC 2016 

OK thanks. Ticket URL : https://fedorahosted.org/freeipa/ticket/6030

On 2016-07-05 10:51, Ludwig Krispenz wrote:
> well, this does not have more information:
> #0  0x00007efe7167c4c0 in ipapwd_keyset_free () from
> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
> No symbol table info available.
> #1  0x00007efe7167c742 in ipapwd_encrypt_encode_key () from
> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
> No symbol table info available.
> #2  0x00007efe7167c9c8 in ipapwd_gen_hashes () from
> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
> No symbol table info available.
> #3  0x00007efe7167c0a7 in ipapwd_SetPassword () from
> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
> No symbol table info available.
> #4  0x00007efe7167e458 in ipapwd_pre_bind () from
> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
> No symbol table info available.
> 
> and it looks like a bug in the ipapwd plugin, we would have to
> reproduce and work on a fix. I don't see any immediate relief unless
> you cannot prevent clients from using password containing arbitrar
> octets.
> Please open a ticket to get this worked on:
> https://fedorahosted.org/freeipa/newticket
> 
> Ludwig
> 
> On 07/05/2016 12:07 AM, Omar AKHAM wrote:
>> Ok, here is a new core file : http://pastebin.com/2cJQymHd
>> 
>> Best regards
>> 
>> On 2016-07-04 09:39, Ludwig Krispenz wrote:
>>> On 07/03/2016 03:04 PM, Omar AKHAM wrote:
>>>> Where can i find core file of ipa-server?
>>> you still need to look for the core file of slapd, but IPA deploys
>>> plugins for slapd and that  is why you need the debuginfo for
>>> ipa-server for a better analysis of the slapd core.
>>>> 
>>>> On 2016-07-01 13:29, Ludwig Krispenz wrote:
>>>>> please keep the discussion on the mailing list
>>>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote:
>>>>>> Which package to install ? ipa-debuginfo?
>>>>> yes
>>>>>> 
>>>>>> 2 other crashes last night, with a different user bind this time :
>>>>>> 
>>>>>>         rawdn = 0x7f620003a200 
>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>>         dn = 0x7f62000238b0 
>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>>         saslmech = 0x0
>>>>>>         cred = {bv_len = 9, bv_val = 0x7f6200034af0 
>>>>>> "nw_PA\250\063\065\067"}
>>>>>>         be = 0x7f6254941c20
>>>>>>         ber_rc = <optimized out>
>>>>>>         rc = 0
>>>>>>         sdn = 0x7f62000313f0
>>>>>>         bind_sdn_in_pb = 1
>>>>>>         referral = 0x0
>>>>>>         errorbuf = '\000' <repeats 1856 times>...
>>>>>>         supported = <optimized out>
>>>>>>         pmech = <optimized out>
>>>>>>         authtypebuf = 
>>>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000
>>>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ 
>>>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 
>>>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", 
>>>>>> '\000' <repeats 14 times>, "\002\000\000\000 
>>>>>> \305\363Tb\177\000\000\377\377\37
>>>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", 
>>>>>> '\000' <repeats 57 times>
>>>>>>         bind_target_entry = 0x0
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote:
>>>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote:
>>>>>>>> The crash is random, sometimes the user binds without probleme, 
>>>>>>>> sometimes it bind and there is the error message of ipa plugin 
>>>>>>>> without dirsrv crash. But when it crashes, this user's bind is 
>>>>>>>> found in the new generated core file!
>>>>>>> ok, so the user might try or use different passwords. it could be
>>>>>>> helpful if you can install the debuginfo for the ipa-server 
>>>>>>> package
>>>>>>> and get a new stack. Please post it to teh list, you can XXXXX 
>>>>>>> the
>>>>>>> credentials in the core, although I think they will not be proper
>>>>>>> credentials.
>>>>>>> 
>>>>>>> Ludwig
>>>>>>>> 
>>>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote:
>>>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote:
>>>>>>>>>> 
>>>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>> 
>>>>>>>>>>> Please find strace on a core file : 
>>>>>>>>>>> http://pastebin.com/v9cUzau4
>>>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop,
>>>>>>>>>> to get a better stack you would have to install also the 
>>>>>>>>>> debuginfo for ipa-server.
>>>>>>>>> but tje stack matches the error messages you have seen
>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file
>>>>>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid
>>>>>>>>> argument]
>>>>>>>>>     [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
>>>>>>>>> encoding.c,
>>>>>>>>> line 225]: key encryption/encoding failed
>>>>>>>>> they are from the function sin the call stack.
>>>>>>>>> 
>>>>>>>>> Looks like the user has a password with a \351 char:
>>>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 
>>>>>>>>> "d\351sertification"}
>>>>>>>>> 
>>>>>>>>> does the crash always happen with a bind from this user ?
>>>>>>>>> 
>>>>>>>>>> and then someone familiar with this plugin should look into it
>>>>>>>>>>> 
>>>>>>>>>>> Regards
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote:
>>>>>>>>>>>> can you get a core file ?
>>>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote:
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> The Directory Services crashes several times a day. It's 
>>>>>>>>>>>>> installed on CentOS 7 VM :
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Installed Packages
>>>>>>>>>>>>> Name        : ipa-server
>>>>>>>>>>>>> Arch        : x86_64
>>>>>>>>>>>>> Version     : 4.2.0
>>>>>>>>>>>>> 
>>>>>>>>>>>>> # ipactl status
>>>>>>>>>>>>> Directory Service: STOPPED
>>>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Before each crash, I have these messages in 
>>>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors :
>>>>>>>>>>>>> 
>>>>>>>>>>>>>     [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key 
>>>>>>>>>>>>> - [file encoding.c, line 171]: generating kerberos keys 
>>>>>>>>>>>>> failed [Invalid argument]
>>>>>>>>>>>>>     [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
>>>>>>>>>>>>> encoding.c, line 225]: key encryption/encoding failed
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Any help?
>>>>>>>>>>>>> Best regards
>>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: 
>>>>>>>>>>>> Grasbrunn,
>>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, 
>>>>>>>>>>>> Michael
>>>>>>>>>>>> O'Neill, Eric Shander
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: 
>>>>>>>>> Grasbrunn,
>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, 
>>>>>>>>> Michael
>>>>>>>>> O'Neill, Eric Shander

More information about the Freeipa-users mailing list