Sssd-maintainers May 2022

sssd-maintainers@lists.fedoraproject.org

1 participants
3 discussions

[Bug 2088481] New: selinux_child: Cannot beign SELinux transaction
by bugzilla＠redhat.com 05 Jul '22

05 Jul '22

https://bugzilla.redhat.com/show_bug.cgi?id=2088481 Bug ID: 2088481 Summary: selinux_child: Cannot beign SELinux transaction Product: Fedora Version: 34 Status: NEW Component: sssd Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: rcritten(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: Some logins fail under load due to contention over the SELinux transaction lock in libsemanage. I'm trying to gather scalability information on IPA. The test revolves around bringing up a number of client VMs, enrolling as IPA clients and running a forking client that does a PAM transaction with the login service. Each client has a set of unique users with non-expired passwords to authenticate with. No pre-loading of the cache is done. In this particular case I brought up 10 clients and ran the test tool do to 10 logins. All of these 100 logins happen more or less simultaneously (time is synced). 30 of the authentications failed due to the transaction locking. IPA should be able to handle 100 authentications without breaking a sweat and the server-side logs don't show any issues but it may be somewhat load related. If I re-run the test tool after the fact, even clearing the SSSD cache I can't reproduce the transaction failure. I wonder if a retry could be implemented. The selinux_child log contains the following. It is consistent across all the clients (log level 3): (2022-05-19 13:42:01): [selinux_child[11668]] [libsemanage] (0x0020): Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x0400): selinux_child started. * (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x2000): Running with effective IDs: [0][0]. * (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x2000): Running with real IDs [0][0]. * (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x0400): context initialized * (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000): seuser length: 12 * (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000): seuser: unconfined_u * (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000): mls_range length: 14 * (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 * (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000): username length: 23 * (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000): username: user6client000.ipa.test * (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x0400): performing selinux operations * (2022-05-19 13:41:56): [selinux_child[11668]] [seuser_needs_update] (0x2000): sss_get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023 * (2022-05-19 13:41:56): [selinux_child[11668]] [sss_seuser_exists] (0x0400): seuser exists: no * (2022-05-19 13:41:56): [selinux_child[11668]] [seuser_needs_update] (0x0400): The SELinux user does need an update * (2022-05-19 13:42:01): [selinux_child[11668]] [libsemanage] (0x0020): Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-05-19 13:42:01): [selinux_child[11668]] [sss_set_seuser] (0x0020): Cannot begin SELinux transaction (2022-05-19 13:42:01): [selinux_child[11668]] [main] (0x0020): Cannot set SELinux login context. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-05-19 13:42:01): [selinux_child[11668]] [sss_set_seuser] (0x0020): Cannot begin SELinux transaction * (2022-05-19 13:42:01): [selinux_child[11668]] [main] (0x0020): Cannot set SELinux login context. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-05-19 13:42:01): [selinux_child[11668]] [main] (0x0020): selinux_child failed! (2022-05-19 13:42:01): [selinux_child[11671]] [libsemanage] (0x0020): Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x0400): selinux_child started. * (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x2000): Running with effective IDs: [0][0]. * (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x2000): Running with real IDs [0][0]. * (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x0400): context initialized * (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000): seuser length: 12 * (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000): seuser: unconfined_u * (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000): mls_range length: 14 * (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 * (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000): username length: 23 * (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000): username: user1client000.ipa.test * (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x0400): performing selinux operations * (2022-05-19 13:41:56): [selinux_child[11671]] [seuser_needs_update] (0x2000): sss_get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023 * (2022-05-19 13:41:56): [selinux_child[11671]] [sss_seuser_exists] (0x0400): seuser exists: no * (2022-05-19 13:41:56): [selinux_child[11671]] [seuser_needs_update] (0x0400): The SELinux user does need an update * (2022-05-19 13:42:01): [selinux_child[11671]] [libsemanage] (0x0020): Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-05-19 13:42:01): [selinux_child[11671]] [sss_set_seuser] (0x0020): Cannot begin SELinux transaction (2022-05-19 13:42:01): [selinux_child[11671]] [main] (0x0020): Cannot set SELinux login context. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-05-19 13:42:01): [selinux_child[11671]] [sss_set_seuser] (0x0020): Cannot begin SELinux transaction * (2022-05-19 13:42:01): [selinux_child[11671]] [main] (0x0020): Cannot set SELinux login context. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-05-19 13:42:01): [selinux_child[11671]] [main] (0x0020): selinux_child failed! Version-Release number of selected component (if applicable): sssd-common-2.5.2-2.fc34 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2088481

1 7

[Bug 1965818] New: sssd - failing on "dotted"languages (Example turkish language)
by bugzilla＠redhat.com 22 Jun '22

22 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=1965818 Bug ID: 1965818 Summary: sssd - failing on "dotted"languages (Example turkish language) Product: Fedora Version: 34 Hardware: x86_64 OS: Linux Status: NEW Component: sssd Severity: high Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: thunderbirdtr(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: Hello, SSSD Service isn't starting If we use dotted language in our system. For example, adding "LANG=tr_TR" into "/etc/sysconfig/sssd" makes sssd fails on start. If anyone install Fedora with "turkish" or other dotted language in their pc/laptop, that makes sssd fails on start. After I made little bit research, I notice this issue has been addressed multiple times around RHEL[0] and samba[1] and github[2] as well. So for that reason at least can we add "english" locale setting into rpm spec with "language" check as a workaround has been suggest in github link.That is at least gives us "working" package in dotted languge, and If anyone wants change setting, they can change it. At least for normal users, we can have working sssd service and not complain about fails all the times. I know this isn't the cleanest solution (proper solution is patching libldb package which causing this issue, but at least we can have a "quick&dirty" solution avoid on new installs. Thank you. [0] : https://bugzilla.redhat.com/show_bug.cgi?id=1743531 [1] : https://lists.samba.org/archive/samba-technical/2019-December/134659.html [2] : https://github.com/SSSD/sssd/issues/5285 Version-Release number of selected component (if applicable): sssd-2.5.0-2.fc34.x86_64 libldb-2.3.0-2.fc34.x86_64 How reproducible: Steps to Reproduce: 1. Install Fedora or change language into dotted or change "LANG" env into dotted langauge 2. reset sssd counter 3. start sssd Actual results: sssd fails Expected results: sssd should start clean in default config. Additional info: SSSD Systemctl errors systemd[1]: Starting System Security Services Daemon... sssd[760632]: Starting up systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION systemd[1]: sssd.service: Failed with result 'exit-code'. systemd[1]: Failed to start System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' systemd[1]: sssd.service: Scheduled restart job, restart counter is at 1. systemd[1]: Stopped System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' systemd[1]: Starting System Security Services Daemon... sssd[760633]: Starting up systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION systemd[1]: sssd.service: Failed with result 'exit-code'. systemd[1]: Failed to start System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' systemd[1]: sssd.service: Scheduled restart job, restart counter is at 2. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' systemd[1]: Stopped System Security Services Daemon. systemd[1]: Starting System Security Services Daemon... sssd[760636]: Starting up systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION systemd[1]: sssd.service: Failed with result 'exit-code'. systemd[1]: Failed to start System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' systemd[1]: sssd.service: Scheduled restart job, restart counter is at 3. systemd[1]: Stopped System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' systemd[1]: Starting System Security Services Daemon... sssd[760637]: Starting up systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION systemd[1]: sssd.service: Failed with result 'exit-code'. systemd[1]: Failed to start System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' systemd[1]: sssd.service: Scheduled restart job, restart counter is at 4. systemd[1]: Stopped System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' systemd[1]: Starting System Security Services Daemon... sssd[760639]: Starting up systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION systemd[1]: sssd.service: Failed with result 'exit-code'. systemd[1]: Failed to start System Security Services Daemon. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' ----------- /var/log/sssd/sssd.log (last error with LANG setting is tr_TR (LANG=tr_TR) ) ----------- ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2021-05-30 15:46:52): [sssd] [check_file] (0x0400): lstat for [/run/sssd.pid] failed: [2][No such file or directory]. * (2021-05-30 15:46:52): [sssd] [check_file] (0x0400): lstat for [/var/run/nscd/socket] failed: [2][No such file or directory]. * (2021-05-30 15:46:52): [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse! * (2021-05-30 15:46:52): [sssd] [sss_ini_open] (0x0400): No /etc/sssd/sssd.conf. * (2021-05-30 15:46:52): [sssd] [sss_ini_read_sssd_conf] (0x0100): File /etc/sssd/sssd.conf does not exist. * (2021-05-30 15:46:52): [sssd] [confdb_ldif_from_ini_file] (0x0100): Value of config_file_version option not found. Assumed to be version 2. * (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x0400): Processing config section [sssd] * (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x0400): Processing attribute [services] * (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x4000): services: nss * (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x4000): Section dn dn: cn=sssd,cn=config cn: sssd services: nss * (2021-05-30 15:46:52): [sssd] [confdb_init_db] (0x0100): LDIF file to import: dn: cn=config version: 2 dn: cn=sssd,cn=config cn: sssd services: nss * (2021-05-30 15:46:52): [sssd] [add_implicit_services] (0x0040): No domains configured! * (2021-05-30 15:46:52): [sssd] [get_monitor_config] (0x0040): Failed to add implicit configured services. Some functionality might be missing * (2021-05-30 15:46:53): [sssd] [confdb_expand_app_domains] (0x2000): implicit_files is not an app domain * (2021-05-30 15:46:53): [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [implicit_files]! * (2021-05-30 15:46:53): [sssd] [confdb_get_domain_internal] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information * (2021-05-30 15:46:53): [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 * (2021-05-30 15:46:53): [sssd] [server_setup] (0x0080): Failed setting process group: Operation not permitted[1]. We might leak processes in case of failure * (2021-05-30 15:46:53): [sssd] [become_user] (0x0200): Trying to become user [0][0]. * (2021-05-30 15:46:53): [sssd] [become_user] (0x0200): Already user [0]. * (2021-05-30 15:46:53): [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse! * (2021-05-30 15:46:53): [sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb * (2021-05-30 15:46:53): [sssd] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (Böyle bir dosya ya da dizin yok) ********************** BACKTRACE DUMP ENDS HERE ********************************* (2021-05-30 15:46:53): [sssd] [main] (0x0010): No domains configured. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2021-05-30 15:46:53): [sssd] [confdb_get_domains] (0x0080): No domains configured, fatal error! * (2021-05-30 15:46:53): [sssd] [main] (0x0010): No domains configured. ********************** BACKTRACE DUMP ENDS HERE ********************************* -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.

1 8

[Bug 2077856] New: package sssd-idp-2.7.0-1.fc35.x86_64 requires sssd-common = 2.7.0-1.fc35, but none of the providers can be installed
by bugzilla＠redhat.com 02 May '22

02 May '22

https://bugzilla.redhat.com/show_bug.cgi?id=2077856 Bug ID: 2077856 Summary: package sssd-idp-2.7.0-1.fc35.x86_64 requires sssd-common = 2.7.0-1.fc35, but none of the providers can be installed Product: Fedora Version: 36 Status: NEW Component: sssd Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: kparal(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: When trying to upgrade from F35 to F36: Error: Problem: package sssd-idp-2.7.0-1.fc35.x86_64 requires sssd-common = 2.7.0-1.fc35, but none of the providers can be installed - sssd-common-2.7.0-1.fc35.x86_64 does not belong to a distupgrade repository - problem with installed package sssd-idp-2.7.0-1.fc35.x86_64 I believe that is resolved by pushing this update stable: https://bodhi.fedoraproject.org/updates/FEDORA-2022-cdc3365ffc Requesting for a Freeze Exception. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2077856

1 13

2024

2023

2022

2021

2020

Sssd-maintainers May 2022