All,

This was a case where 'realm permit' of a user was causing a back-end sssd process (sssd_be) to core dump. (sigsegv). I reported this to this group a few months ago. We're working this case with the Linux OS vendor. Turns out, if we explicitly add:

ldap_sasl_authid = host/<HOST>@<HOST's REALM>

to each [domain/XXX.COMPANY.COM] stanza in /etc/sssd/sssd.conf file, it no longer core dumps.

That is, we have these child AD domains defined in sssd.conf

[domain/AMER.COMPANY.COM]

[domain/EMEA.COMPANY.COM]

[domain/APAC.COMPANY.COM]

However, our host is registered in only one child domain. Say AMER for a server amerhost1 in North America. So we'd set:

ldap_sasl_authid = host/amerhost1@AMER.COMPANY.COM in each domain stanza above.

Why does this prevent sssd_be from core dumping? Not a clue! But sssd performs flawlessly once this is added.

Spike

On Thu, Aug 8, 2019 at 9:09 AM Spike White <spikewhitetx@gmail.com> wrote:

Here is the bugzilla link to the ticket:

https://bugzilla.redhat.com/show_bug.cgi?id=1738375

So it appears a BZ has been created.

Spike

On Tue, Jul 16, 2019 at 3:32 PM Jakub Hrozek <jhrozek@redhat.com> wrote:
On Tue, Jul 16, 2019 at 12:32:29PM -0500, Spike White wrote:
> The following case has been opened with RHEL support on this. It was
> opened this morning:
>
> (SEV 4) Case #02427449 ('realm permit group@DOMAIN' causing background
> process sssd_be to segfault.)

Thank you, comment added. I hope a BZ would be created soon.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org