Hi,
We have SSSD authenticating against Active Directory on a large cluster of
hadoop machines. Intermittently we're seeing JVM processes (Apache Spark
jobs) core dumping when they attempt to lookup the group owner of a file.
The group comes from Active Directory. The group contains roughly 30 users.
Is anyone able to help identify what might be causing this?
############################################################
(gdb) bt
#0 0x00007f789005acc9 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f789005e0d8 in __GI_abort () at abort.c:89
#2 0x00007f788f3abd69 in os::abort(bool) () from
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server/libjvm.so
#3 0x00007f788f53133f in VMError::report_and_die() () from
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server/libjvm.so
#4 0x00007f788f3b4b4f in JVM_handle_linux_signal () from
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server/libjvm.so
#5 <signal handler called>
#6 sss_nss_check_header (ctx=ctx@entry=0x7f788d541280 <gr_mc_ctx>) at
../src/sss_client/nss_mc_common.c:65
#7 0x00007f788d33ed1b in sss_nss_mc_get_ctx (name=name@entry=0x7f788d33fae1
"group", ctx=ctx@entry=0x7f788d541280 <gr_mc_ctx>) at
../src/sss_client/nss_mc_common.c:151
#8 0x00007f788d33f7d9 in sss_nss_mc_getgrgid (gid=gid@entry=10002,
result=result@entry=0x7f783d325800, buffer=0x14f2bb0 "postdrop",
buflen=buflen@entry=1024) at ../src/sss_client/nss_mc_group.c:182
#9 0x00007f788d33da56 in _nss_sss_getgrgid_r (gid=10002,
result=0x7f783d325800, buffer=0x14f2bb0 "postdrop", buflen=1024,
errnop=0x7f783d329660) at ../src/sss_client/nss_group.c:454
#10 0x00007f78900e2b0c in __getgrgid_r (gid=10002, resbuf=0x7f783d325800,
buffer=0x14f2bb0 "postdrop", buflen=1024, result=0x7f783d325828) at
../nss/getXXbyYY_r.c:266
#11 0x00007f7841cabfe6 in ?? ()
#12 0x00000000014f2bb0 in ?? ()
############################################################
Here's our sssd config:
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
#debug_level = 0x4000
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://192.168.16.2,ldaps://192.168.16.5
ldap_search_base = <hidden>
ldap_id_mapping = False
ldap_user_search_base = <hidden>
ldap_group_search_base = <hidden>
ldap_user_object_class = user
ldap_user_name = msSFU30Name
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
#Bind credentials
ldap_default_bind_dn = <CN>
ldap_default_authtok = secret
ldap_tls_reqcert = allow
cache_credentials = true
enumerate = false
Our nsswitch.conf:
passwd: compat sss
group: compat sss
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
$ grep sss /etc/pam.d/
common-account:account [default=bad success=ok user_unknown=ignore]
pam_sss.so
common-auth:auth [success=2 default=ignore] pam_sss.so use_first_pass
common-password:password sufficient pam_sss.so use_authtok
common-session:session optional pam_sss.so
Versions:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
Linux 3.13.0-49-generic #83-Ubuntu SMP Fri Apr 10 20:11:33 UTC 2015 x86_64
x86_64 x86_64 GNU/Linux
$ dpkg -l | grep sssd
ii sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active
Directory back end
ii sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
PAC responder
ii sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
common files
ii sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA
back end
ii sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
Kerberos back end
ii sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon
-- Kerberos helpers
ii sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP
back end
ii sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
proxy back end
ii sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools
Show replies by thread