ldap_install_tls occasionally fails due to watchdog timeout when using ad_use_ldaps with tls
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
In Progress
|
Medium
|
Matthew Ruffell | ||
Bionic |
In Progress
|
Medium
|
Matthew Ruffell | ||
Focal |
In Progress
|
Medium
|
Matthew Ruffell | ||
Hirsute |
Won't Fix
|
Medium
|
Matthew Ruffell | ||
Impish |
Won't Fix
|
Medium
|
Matthew Ruffell |
Bug Description
[Impact]
If you enable ad_use_ldaps on your sssd config, and have your sssd configured to use TLS instead of the regular GSS-SPNEGO or GSSAPI encryption, if you have a slow AD server or a busy network, the watchdog could timeout the call to ldap_install_tls() before it completes, and you won't be able to connect to the AD server, since the TLS handshake will fail.
If you set debug_level to 4 or higher, you will see the following in sssd_ldap_
[set_server_
[be_resolve_
[ad_resolve_
[ad_resolve_
[sssd_async_
[sss_ldap_
[sss_ldap_
[sss_ldap_
[sdap_sys_
[fo_set_
[fo_set_
ldapsearch with ldaps will work correctly in the same environment:
# openssl s_client -connect company-
# ldapsearch -v -H ldaps:/
# Duperuser\2C Super ADM, Users, Admin, company.com dn: CN=Duperuser\, Super ADM,OU=
A workaround is to simply try again, since this a race condition, and you might beat the watchdog on subsequent retries. Otherwise, disable ad_use_ldaps until a fix is available.
[Testcase]
You will need a Windows 2k19 server with Active Directory installed and configured, and create some users in Active Directory.
On the Ubuntu client, join the AD server using realm. You will need to import the AD certificate too.
When importing the TLS certificate, you can add it to /etc/ssl/
TLS_CACERT /etc/ssl/
Edit /etc/sssd/sssd.conf and ensure that ldap_tls_cacert is set correctly to "ldap_tls_cacert = /etc/ssl/
Then restart sssd with:
$ sudo systemctl restart sssd.service
If you have a slow server or busy network, the watchdog will kill the call to ldap_install_tls() before it completes, and sssd will fail to start. You may need several attempts to reproduce. Just keep restarting sssd.service.
Test packages are available in the below ppa:
https:/
When using the test packages, sssd should start reliably everytime.
[Where problems could occur]
The changes only affect users who implement ad_use_ldaps, and only those who use TLS. Those using GSS-SPNEGO with ad_use_ldaps would not be affected, and neither those not using ad_use_ldaps.
The patch checks for failure of TLS handshake with the AD server, and adds a retry if the failure was caused by the watchdog killing the call to ldap_install_tls(). This happens very early on in sssd service startup, and if a regression were to occur, a system administrator would notice almost immediately and downgrade the package.
If a regression were to occur, a workaround is to 1) change from tls to GSS_SPNEGO, or 2) disable ad_use_ldaps.
[Other info]
This is reported upstream in:
https:/
The commit which fixes the issue is:
commit da55e3e69707de4
From: Iker Pedrosa <email address hidden>
Date: Wed, 3 Mar 2021 15:34:49 +0100
Subject: ldap: retry ldap_install_tls() when watchdog interruption
Link: https:/
This landed in sssd 2.5.0, so Bionic, Focal, Hirsute and Impish all require fixing. The commit is a cherry pick to Focal, Hirsute and Impish, while Bionic requires a backport for minor context adjustments.
affects: | ubuntu → sssd (Ubuntu) |
description: | updated |
Changed in sssd (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in sssd (Ubuntu Focal): | |
status: | New → In Progress |
Changed in sssd (Ubuntu Hirsute): | |
status: | New → In Progress |
Changed in sssd (Ubuntu Impish): | |
status: | Incomplete → In Progress |
Changed in sssd (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Bionic): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
Changed in sssd (Ubuntu Focal): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
Changed in sssd (Ubuntu Hirsute): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
Changed in sssd (Ubuntu Impish): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
tags: | added: seg |
summary: |
- ad_use_ldaps error could not start tls encryption + ldap_install_tls occasionally fails due to watchdog timeout when using + ad_use_ldaps with tls |
description: | updated |
Apport file attached