Protocol error with FreeIPA on CentOS 6

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2993

• Created at 2016-04-19 13:26:01 by lslebodn
• Closed as Fixed
• Assigned to sbose
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1312276
  • https://bugzilla.redhat.com/show_bug.cgi?id=1328108

---

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1328108

Description of problem:
We use FreeIPA on CentOS 6 for user authentication. On Fedora 23, the sssd_be
consumes lots of memory and writes error messages to the log at a rapid rate
(gigabytes per day in debug_level 4).

Version-Release number of selected component (if applicable):
sssd-1.13.3-6.fc23.x86_64
Also tested: sssd-1.13.4-1.fc23.x86_64

How reproducible:
Always

Additional info:
The server runs ipa-server-3.0.0-47.el6.centos.2.x86_64.

On the client, the memory consumption of sssd_be constantly increases. The log
contains lots of messages of the following form (can't actually tell the order
since they repeat over and over, debug_level set to 4):
(Mon Apr 18 14:49:30 2016) [sssd[be[---]]] [sdap_get_generic_op_finished]
(0x0040): Unexpected result from ldap: Protocol error(2), A dereference
attribute must have DN syntax
(Mon Apr 18 14:49:30 2016) [sssd[be[---]]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error
(Mon Apr 18 14:49:30 2016) [sssd[be[---]]] [sdap_deref_search_done] (0x0040):
dereference processing failed [5]: Input/output error

On the server, this causes a very high load in ns-slapd for the domain in
question.

We are currently in the process of upgrading from F20. There, everything was
working fine. So it seems that sssd in the meantime introduced something that
triggers this behavior. Either this is a general incompatibility that current
exists between the latest sssd and the CentOS 6 FreeIPA, or maybe some FreeIPA
upgrade had an issue? (I remember

The workstations with the new version seem to work fine, aside from becoming
unresponsive once sssd_be fills up the memory. Users can authenticate.

If there is anything I can provide to help analyze and fix this issue please
let me know. Currently this is a roadblock for further upgrading our machines.
We would like to resolve this without upgrading the FreeIPA server (after all,
we chose an enterprise Linux for long-term stability).

Comments

---

Comment from lslebodn at 2016-04-19 13:27:35

I seems to be a bug caused by ticket #2960.
It was introduced in 1.13.4

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

---

Comment from lslebodn at 2016-04-19 13:29:05

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1312276 (Red Hat Enterprise Linux 7)

rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1328108 1328108] => [https://bugzilla.redhat.com/show_bug.cgi?id=1328108 1328108], [https://bugzilla.redhat.com/show_bug.cgi?id=1312276 1312276]

---

Comment from lslebodn at 2016-04-19 13:31:41

Sumit has a patch

owner: somebody => sbose

---

Comment from sbose at 2016-04-19 16:41:52

Fields changed

patch: 0 => 1

---

Comment from jhrozek at 2016-04-22 19:01:24

• master: 57d8b4b
• sssd-1-13: e5fbaf4

milestone: NEEDS_TRIAGE => SSSD 1.13.5
resolution: => fixed
status: new => closed

---

Comment from lslebodn at 2017-02-24 15:07:17

Metadata Update from @lslebodn:

• Issue assigned to sbose
• Issue set to the milestone: SSSD 1.13.5