Ubuntu
openldap package

Apparmor complaints about sssd_pac_plugin.so in dmesg

Bug #1702801 reported by kolya on 2017-07-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openldap (Ubuntu)	New	Undecided	Unassigned

Bug Description

I have slapd running and use krb authentication.

Every time someone authenticates on a box connected to slapd/krb I get a few lines like this in server logs:

audit: type=1400 audit(1499390102.162:5253): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/slapd" name="/usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/sssd_pac_plugin.so" pid=2513 comm="slapd" requested_mask="m" denied_mask="m" fsuid=107 ouid=0

Revision history for this message

kolya (mar-kolya) wrote on 2019-04-30:

This still occurs with with ubuntu 19.04.

This also may be a potential resource leak/security problem. It looks like each authentication creates a new entry in processe's maps file that looks like this:

/usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/sssd_pac_plugin.so

After running for some time slapd processes gets many of those:

cat /proc/877/maps | grep sssd_pac_plugin.so | wc -l
3381

I guess at some point it will run out of resources and crash.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuopenldap package

Apparmor complaints about sssd_pac_plugin.so in dmesg

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
openldap package