Don’t know if this is related, but for our puppet runs of ‘net ads’, had to add two environment variables as puppet didn’t set them, but ‘net ads’ expects them:

 

# Puppet doesnt provide USER and LOGNAME and net ads needs it

export USER="$(id -un)"

export LOGNAME="${USER}"

 

From: Spike White <spikewhitetx@gmail.com>
Sent: Monday, September 16, 2019 3:47 PM
To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org>
Subject: [SSSD-users]Re: sssd_be core dumping when ‘realm permit’ command run under puppet control…

 

EXTERNAL MAIL: sssd-users-bounces@lists.fedorahosted.org

All,

 

This was a case where 'realm permit' of a user was causing a back-end sssd process (sssd_be) to core dump.  (sigsegv).   I reported this to this group a few months ago.  We're working this case with the Linux OS vendor.  Turns out, if we explicitly add:

 

ldap_sasl_authid = host/<HOST>@<HOST's REALM>

 

to each [domain/XXX.COMPANY.COM] stanza in /etc/sssd/sssd.conf file, it no longer core dumps.

 

That is, we have these child AD domains defined in sssd.conf

 

[domain/AMER.COMPANY.COM]

 

[domain/EMEA.COMPANY.COM]

 

[domain/APAC.COMPANY.COM]

 

However, our host is registered in only one child domain.  Say AMER for a server amerhost1 in North America.   So we'd set:

 

ldap_sasl_authid = host/amerhost1@AMER.COMPANY.COM  in each domain stanza above.

 

Why does this prevent sssd_be from core dumping?  Not a clue!  But sssd performs flawlessly once this is added.

 

Spike

 

 

On Thu, Aug 8, 2019 at 9:09 AM Spike White <spikewhitetx@gmail.com> wrote:

Here is the bugzilla link to the ticket:

 

   https://bugzilla.redhat.com/show_bug.cgi?id=1738375 

 

   So it appears a BZ has been created.

 

Spike

 

On Tue, Jul 16, 2019 at 3:32 PM Jakub Hrozek <jhrozek@redhat.com> wrote:

On Tue, Jul 16, 2019 at 12:32:29PM -0500, Spike White wrote:
> The following case has been opened with RHEL support on this.  It was
> opened this morning:
>
> (SEV 4) Case #02427449 ('realm permit group@DOMAIN' causing background
> process sssd_be to segfault.)

Thank you, comment added. I hope a BZ would be created soon.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org