Univention Bugzilla – Bug 56868
slapd crashes with segfault error 4 in libc-2.28.so
Last modified: 2024-01-12 08:52:08 CET
The crash occurs sporadically on more than one dc with UCS 5.0-5 errata857 in the same environment. After the crash the slapd must be restarted. This can be found in the syslog: kernel: [395685.642153] slapd[1134]: segfault at 65640042005d ip 00007ff928034b7d sp 00007ff812ffc100 error 4 in libc-2.28.so[7ff927fd2000+147000] kernel: [395685.642174] Code: 89 ee 48 89 df 5b 5d e9 11 fd ff ff 90 53 48 83 ec 10 48 8b 05 8c 53 13 00 48 8b 00 48 85 c0 0f 85 88 00 00 00 48 85 ff 74 73 <48> 8b 47 f8 48 8d 77 f0 a8 02 75 37 48 8b 15 e8 51 13 00 64 48 83 systemd[1]: slapd.service: Main process exited, code=killed, status=11/SEGV systemd[1]: slapd.service: Failed with result 'signal'.
We need more information: Please let a core dump be created and then at least give us a backtrace ("thread apply all bt" command in gdb, best with LDAP *-dbg packages installed). A USI is helpful as well. Is the ppolicy overlay module activated? Are any cool solutions installed? which apps are installed? "univention-app info"
Backtrace of all threads is attached to the ticket. The core dump occurs in a code path that involves a call to "_gss_ntlm_acquire_cred" and the client appears t be a Microsoft Windows client. I analyzed the backtrace again and found that three of the threads show the usage of "GSS-SPNEGO" as SASL mech (maybe as default). Felix research for Bug 43732 may help here to avoid this code path. So I recommended that the customer checks if the issue persists after adjusting the following: echo "mech_list: EXTERNAL gssapi DIGEST-MD5 CRAM-MD5 LOGIN SAML PLAIN" \ >> /etc/ldap/sasl2/slapd.conf systemctl restart slapd.server
The customer informed us that there have been no more crashes since adding the mech_list.
2678fa4ad6 | New UCR variable ldap/server/sasl/mech_list Package built Package: univention-management-console Version: 12.0.32-3 Branch: ucs_5.0-0 Scope: errata5.0-6
OK: SASL server mechanisms are configurable via UCRv ldap/server/sasl/mech_list OK: change of default removes NTLM and GSS-SPNEGO: # ldapsearch -LLLx -b '' -s base supportedSASLMechanisms dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM # univention-upgrade # systemctl restart slapd.service # ldapsearch -LLLx -b '' -s base supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 OK: NTLM: Not provided by slapd at all. OK: GSS-SPNEGO (Simple and Protected GSS-API Negotiation): causes the above error, chosen by windows client where we don't have the control over the clients chose. We don't specify anything preferred SASL_MECH in our client conf /etc/ldap/ldap.conf. OK: Code review OK: no slapd restart during/after the upgrade. Change will apply with the next restart. REOPEN: No advisory YAML exists.
Maybe related: Bug #46862
Sorry, the advisory was still sitting on my notebook, now I checked it in: 19e47afed2 | Advisory
OK: Advisory
Bug is fixed with Erratum 914 https://errata.software-univention.de/#/?erratum=5.0x914