[Freeipa-users] FreeIPA (directory service) Crash several times a day
Omar AKHAM
dev at mdfive.dz
Tue Jul 5 17:48:59 UTC 2016
Users were migrated from MDS (Mandriva Directory Server) with freeipa
migration mode (ipa migrate-ds)
You can take a look to attached screenshot for objectclasses &
attributes
On 2016-07-05 16:52, Ludwig Krispenz wrote:
> On 07/05/2016 12:08 PM, Omar AKHAM wrote:
>> OK thanks. Ticket URL : https://fedorahosted.org/freeipa/ticket/6030
> thanks, I tried to reproduce and failed so far, could you add some
> information to the ticket on
> - how the entry was created
> - a full entry which was seen to crash the server, you don't need to
> reveal any real data, jsur which objectclasses and attributes the
> entry has
>>
>> On 2016-07-05 10:51, Ludwig Krispenz wrote:
>>> well, this does not have more information:
>>> #0 0x00007efe7167c4c0 in ipapwd_keyset_free () from
>>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>>> No symbol table info available.
>>> #1 0x00007efe7167c742 in ipapwd_encrypt_encode_key () from
>>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>>> No symbol table info available.
>>> #2 0x00007efe7167c9c8 in ipapwd_gen_hashes () from
>>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>>> No symbol table info available.
>>> #3 0x00007efe7167c0a7 in ipapwd_SetPassword () from
>>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>>> No symbol table info available.
>>> #4 0x00007efe7167e458 in ipapwd_pre_bind () from
>>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so
>>> No symbol table info available.
>>>
>>> and it looks like a bug in the ipapwd plugin, we would have to
>>> reproduce and work on a fix. I don't see any immediate relief unless
>>> you cannot prevent clients from using password containing arbitrar
>>> octets.
>>> Please open a ticket to get this worked on:
>>> https://fedorahosted.org/freeipa/newticket
>>>
>>> Ludwig
>>>
>>> On 07/05/2016 12:07 AM, Omar AKHAM wrote:
>>>> Ok, here is a new core file : http://pastebin.com/2cJQymHd
>>>>
>>>> Best regards
>>>>
>>>> On 2016-07-04 09:39, Ludwig Krispenz wrote:
>>>>> On 07/03/2016 03:04 PM, Omar AKHAM wrote:
>>>>>> Where can i find core file of ipa-server?
>>>>> you still need to look for the core file of slapd, but IPA deploys
>>>>> plugins for slapd and that is why you need the debuginfo for
>>>>> ipa-server for a better analysis of the slapd core.
>>>>>>
>>>>>> On 2016-07-01 13:29, Ludwig Krispenz wrote:
>>>>>>> please keep the discussion on the mailing list
>>>>>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote:
>>>>>>>> Which package to install ? ipa-debuginfo?
>>>>>>> yes
>>>>>>>>
>>>>>>>> 2 other crashes last night, with a different user bind this time
>>>>>>>> :
>>>>>>>>
>>>>>>>> rawdn = 0x7f620003a200
>>>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>>>> dn = 0x7f62000238b0
>>>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
>>>>>>>> saslmech = 0x0
>>>>>>>> cred = {bv_len = 9, bv_val = 0x7f6200034af0
>>>>>>>> "nw_PA\250\063\065\067"}
>>>>>>>> be = 0x7f6254941c20
>>>>>>>> ber_rc = <optimized out>
>>>>>>>> rc = 0
>>>>>>>> sdn = 0x7f62000313f0
>>>>>>>> bind_sdn_in_pb = 1
>>>>>>>> referral = 0x0
>>>>>>>> errorbuf = '\000' <repeats 1856 times>...
>>>>>>>> supported = <optimized out>
>>>>>>>> pmech = <optimized out>
>>>>>>>> authtypebuf =
>>>>>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000
>>>>>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\
>>>>>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00
>>>>>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177",
>>>>>>>> '\000' <repeats 14 times>, "\002\000\000\000
>>>>>>>> \305\363Tb\177\000\000\377\377\37
>>>>>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177",
>>>>>>>> '\000' <repeats 57 times>
>>>>>>>> bind_target_entry = 0x0
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote:
>>>>>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote:
>>>>>>>>>> The crash is random, sometimes the user binds without
>>>>>>>>>> probleme, sometimes it bind and there is the error message of
>>>>>>>>>> ipa plugin without dirsrv crash. But when it crashes, this
>>>>>>>>>> user's bind is found in the new generated core file!
>>>>>>>>> ok, so the user might try or use different passwords. it could
>>>>>>>>> be
>>>>>>>>> helpful if you can install the debuginfo for the ipa-server
>>>>>>>>> package
>>>>>>>>> and get a new stack. Please post it to teh list, you can XXXXX
>>>>>>>>> the
>>>>>>>>> credentials in the core, although I think they will not be
>>>>>>>>> proper
>>>>>>>>> credentials.
>>>>>>>>>
>>>>>>>>> Ludwig
>>>>>>>>>>
>>>>>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote:
>>>>>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote:
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please find strace on a core file :
>>>>>>>>>>>>> http://pastebin.com/v9cUzau4
>>>>>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop,
>>>>>>>>>>>> to get a better stack you would have to install also the
>>>>>>>>>>>> debuginfo for ipa-server.
>>>>>>>>>>> but tje stack matches the error messages you have seen
>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key -
>>>>>>>>>>> [file
>>>>>>>>>>> encoding.c, line 171]: generating kerberos keys failed
>>>>>>>>>>> [Invalid
>>>>>>>>>>> argument]
>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file
>>>>>>>>>>> encoding.c,
>>>>>>>>>>> line 225]: key encryption/encoding failed
>>>>>>>>>>> they are from the function sin the call stack.
>>>>>>>>>>>
>>>>>>>>>>> Looks like the user has a password with a \351 char:
>>>>>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0
>>>>>>>>>>> "d\351sertification"}
>>>>>>>>>>>
>>>>>>>>>>> does the crash always happen with a bind from this user ?
>>>>>>>>>>>
>>>>>>>>>>>> and then someone familiar with this plugin should look into
>>>>>>>>>>>> it
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote:
>>>>>>>>>>>>>> can you get a core file ?
>>>>>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote:
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The Directory Services crashes several times a day. It's
>>>>>>>>>>>>>>> installed on CentOS 7 VM :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Installed Packages
>>>>>>>>>>>>>>> Name : ipa-server
>>>>>>>>>>>>>>> Arch : x86_64
>>>>>>>>>>>>>>> Version : 4.2.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # ipactl status
>>>>>>>>>>>>>>> Directory Service: STOPPED
>>>>>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Before each crash, I have these messages in
>>>>>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100]
>>>>>>>>>>>>>>> ipapwd_encrypt_encode_key - [file encoding.c, line 171]:
>>>>>>>>>>>>>>> generating kerberos keys failed [Invalid argument]
>>>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes -
>>>>>>>>>>>>>>> [file encoding.c, line 225]: key encryption/encoding
>>>>>>>>>>>>>>> failed
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Any help?
>>>>>>>>>>>>>>> Best regards
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered
>>>>>>>>>>>>>> seat: Grasbrunn,
>>>>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham,
>>>>>>>>>>>>>> Michael
>>>>>>>>>>>>>> O'Neill, Eric Shander
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat:
>>>>>>>>>>> Grasbrunn,
>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham,
>>>>>>>>>>> Michael
>>>>>>>>>>> O'Neill, Eric Shander
-------------- next part --------------
A non-text attachment was scrubbed...
Name: JXplorer - cder_007.png
Type: image/png
Size: 146955 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160705/b00cf946/attachment.png>
More information about the Freeipa-users
mailing list