[Freeipa-users] FreeIPA (directory service) Crash several times a day
Ludwig Krispenz
lkrispen at redhat.com
Tue Jul 5 14:52:23 UTC 2016
On 07/05/2016 12:08 PM, Omar AKHAM wrote:
> OK thanks. Ticket URL : https://fedorahosted.org/freeipa/ticket/6030
thanks, I tried to reproduce and failed so far, could you add some
information to the ticket on
- how the entry was created
- a full entry which was seen to crash the server, you don't need to
reveal any real data, jsur which objectclasses and attributes the entry has
>
> On 2016-07-05 10:51, Ludwig Krispenz wrote:
>> well, this does not have more information:
>> #0 0x00007efe7167c4c0 in ipapwd_keyset_free () from
>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>> No symbol table info available.
>> #1 0x00007efe7167c742 in ipapwd_encrypt_encode_key () from
>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>> No symbol table info available.
>> #2 0x00007efe7167c9c8 in ipapwd_gen_hashes () from
>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>> No symbol table info available.
>> #3 0x00007efe7167c0a7 in ipapwd_SetPassword () from
>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>> No symbol table info available.
>> #4 0x00007efe7167e458 in ipapwd_pre_bind () from
>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>> No symbol table info available.
>>
>> and it looks like a bug in the ipapwd plugin, we would have to
>> reproduce and work on a fix. I don't see any immediate relief unless
>> you cannot prevent clients from using password containing arbitrar
>> octets.
>> Please open a ticket to get this worked on:
>> https://fedorahosted.org/freeipa/newticket
>>
>> Ludwig
>>
>> On 07/05/2016 12:07 AM, Omar AKHAM wrote:
>>> Ok, here is a new core file : http://pastebin.com/2cJQymHd
>>>
>>> Best regards
>>>
>>> On 2016-07-04 09:39, Ludwig Krispenz wrote:
>>>> On 07/03/2016 03:04 PM, Omar AKHAM wrote:
>>>>> Where can i find core file of ipa-server?
>>>> you still need to look for the core file of slapd, but IPA deploys
>>>> plugins for slapd and that is why you need the debuginfo for
>>>> ipa-server for a better analysis of the slapd core.
>>>>>
>>>>> On 2016-07-01 13:29, Ludwig Krispenz wrote:
>>>>>> please keep the discussion on the mailing list
>>>>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote:
>>>>>>> Which package to install ? ipa-debuginfo?
>>>>>> yes
>>>>>>>
>>>>>>> 2 other crashes last night, with a different user bind this time :
>>>>>>>
>>>>>>> rawdn = 0x7f620003a200
>>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>>> dn = 0x7f62000238b0
>>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>>> saslmech = 0x0
>>>>>>> cred = {bv_len = 9, bv_val = 0x7f6200034af0
>>>>>>> "nw_PA\250\063\065\067"}
>>>>>>> be = 0x7f6254941c20
>>>>>>> ber_rc = <optimized out>
>>>>>>> rc = 0
>>>>>>> sdn = 0x7f62000313f0
>>>>>>> bind_sdn_in_pb = 1
>>>>>>> referral = 0x0
>>>>>>> errorbuf = '\000' <repeats 1856 times>...
>>>>>>> supported = <optimized out>
>>>>>>> pmech = <optimized out>
>>>>>>> authtypebuf =
>>>>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000
>>>>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\
>>>>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00
>>>>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177",
>>>>>>> '\000' <repeats 14 times>, "\002\000\000\000
>>>>>>> \305\363Tb\177\000\000\377\377\37
>>>>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177",
>>>>>>> '\000' <repeats 57 times>
>>>>>>> bind_target_entry = 0x0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote:
>>>>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote:
>>>>>>>>> The crash is random, sometimes the user binds without
>>>>>>>>> probleme, sometimes it bind and there is the error message of
>>>>>>>>> ipa plugin without dirsrv crash. But when it crashes, this
>>>>>>>>> user's bind is found in the new generated core file!
>>>>>>>> ok, so the user might try or use different passwords. it could be
>>>>>>>> helpful if you can install the debuginfo for the ipa-server
>>>>>>>> package
>>>>>>>> and get a new stack. Please post it to teh list, you can XXXXX the
>>>>>>>> credentials in the core, although I think they will not be proper
>>>>>>>> credentials.
>>>>>>>>
>>>>>>>> Ludwig
>>>>>>>>>
>>>>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote:
>>>>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote:
>>>>>>>>>>>
>>>>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote:
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> Please find strace on a core file :
>>>>>>>>>>>> http://pastebin.com/v9cUzau4
>>>>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop,
>>>>>>>>>>> to get a better stack you would have to install also the
>>>>>>>>>>> debuginfo for ipa-server.
>>>>>>>>>> but tje stack matches the error messages you have seen
>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file
>>>>>>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid
>>>>>>>>>> argument]
>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file
>>>>>>>>>> encoding.c,
>>>>>>>>>> line 225]: key encryption/encoding failed
>>>>>>>>>> they are from the function sin the call stack.
>>>>>>>>>>
>>>>>>>>>> Looks like the user has a password with a \351 char:
>>>>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0
>>>>>>>>>> "d\351sertification"}
>>>>>>>>>>
>>>>>>>>>> does the crash always happen with a bind from this user ?
>>>>>>>>>>
>>>>>>>>>>> and then someone familiar with this plugin should look into it
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote:
>>>>>>>>>>>>> can you get a core file ?
>>>>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote:
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The Directory Services crashes several times a day. It's
>>>>>>>>>>>>>> installed on CentOS 7 VM :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Installed Packages
>>>>>>>>>>>>>> Name : ipa-server
>>>>>>>>>>>>>> Arch : x86_64
>>>>>>>>>>>>>> Version : 4.2.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # ipactl status
>>>>>>>>>>>>>> Directory Service: STOPPED
>>>>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Before each crash, I have these messages in
>>>>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100]
>>>>>>>>>>>>>> ipapwd_encrypt_encode_key - [file encoding.c, line 171]:
>>>>>>>>>>>>>> generating kerberos keys failed [Invalid argument]
>>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes -
>>>>>>>>>>>>>> [file encoding.c, line 225]: key encryption/encoding failed
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any help?
>>>>>>>>>>>>>> Best regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered
>>>>>>>>>>>>> seat: Grasbrunn,
>>>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham,
>>>>>>>>>>>>> Michael
>>>>>>>>>>>>> O'Neill, Eric Shander
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat:
>>>>>>>>>> Grasbrunn,
>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael
>>>>>>>>>> O'Neill, Eric Shander
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
More information about the Freeipa-users
mailing list