Bug 1142176
| Summary: | Kerberos ticket is not renewed properly and BIND later deadlocks | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Arpit Tolani <atolani> |
| Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.6 | CC: | ksiddiqu, mkosek, mnavrati, pspacek, qe-baseos-daemons, sauchter, thozza |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-dyndb-ldap-2.3-7.el6 | Doc Type: | Bug Fix |
| Doc Text: |
The bind-dyndb-ldap library incorrectly compared current time and the expiration time of the Kerberos ticket used for authentication to an LDAP server. As a consequence, the Kerberos ticket was not renewed under certain circumstances, which caused the connection to the LDAP server to fail. The connection failure often happened after a BIND service reload was triggered by the logrotate utility. A patch has been applied to fix this bug, and Kerberos tickets are correctly renewed in this scenario.
|
Story Points: | --- |
| Clone Of: | 1142150 | Environment: | |
| Last Closed: | 2015-07-22 05:39:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1142150 | ||
| Bug Blocks: | 1142152 | ||
|
Description
Arpit Tolani
2014-09-16 09:59:12 UTC
This problem is caused by two separate bugs: This one and bug 1142152. We need to fix both to completely solve the issue. There is nothing private in this bug. Publicizing. This problem is already fixed upstream, see commit https://fedorahosted.org/bind-dyndb-ldap/changeset/80f7663f309c0d0b9cb89ed8f8b38301b207360d/ . Verified. bind-dyndb-ldap version: ======================== bind-dyndb-ldap-2.3-7.el6.x86_64 snip from automation log: ========================= :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password xxxxxxxx was successful. :: [ PASS ] :: Kinit as admin user (Expected 0, got 0) :: [ PASS ] :: Adding a test dns A record (Expected 0, got 0) :: [ PASS ] :: Looking up for test record using dig (Expected 0, got 0) :: [ PASS ] :: Changing time one day ahead so lograte can happen (Expected 0, got 0) :: [ PASS ] :: Running logrotate forcefully (Expected 0, got 0) :: [ LOG ] :: logrotate ran successfully :: [ PASS ] :: Command 'ls -la /var/log/message*' (Expected 0, got 0) :: [ PASS ] :: Looking up for test record using dig after log rotate (Expected 0, got 0) :: [ PASS ] :: Resetting the date (Expected 0, got 0) :: [ PASS ] :: Deleting the test record (Expected 0, got 0) :: [ PASS ] :: Deleting generated log files (Expected 0, got 0) :: [ LOG ] :: Duration: 14s :: [ LOG ] :: Assertions: 10 good, 0 bad :: [ PASS ] :: RESULT: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks Hello Kaleem, please double-check that logrotate actually ran command 'rndc reload' (instead of 'service named restart'). I want to be 100 % sure that the bug was fixed properly. Thank you! (In reply to Petr Spacek from comment #7) > Hello Kaleem, > > please double-check that logrotate actually ran command 'rndc reload' > (instead of 'service named restart'). I want to be 100 % sure that the bug > was fixed properly. Thank you! As we have figured out that logroate runs "named reload" which calls up "rndc reload" also, so i have added a check for "named reload" in automation code. :: [ LOG ] :: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password xxxxxxxx was successful. :: [ PASS ] :: Kinit as admin user (Expected 0, got 0) :: [ PASS ] :: Adding a test dns A record (Expected 0, got 0) :: [ PASS ] :: Looking up for test record using dig (Expected 0, got 0) :: [ PASS ] :: Changing time one day ahead so lograte can happen (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 60' (Expected 0, got 0) :: [ PASS ] :: clearing the /var/log/messages file (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 60' (Expected 0, got 0) :: [ PASS ] :: Running logrotate forcefully (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 60' (Expected 0, got 0) :: [ LOG ] :: logrotate ran successfully :: [ PASS ] :: Command 'ls -la /var/log/message*' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/messages-20150521' should contain 'reloading zones succeeded' :: [ PASS ] :: Looking up for test record using dig after log rotate (Expected 0, got 0) :: [ PASS ] :: Resetting the date (Expected 0, got 0) :: [ PASS ] :: Deleting the test record (Expected 0, got 0) :: [ PASS ] :: Deleting generated log files (Expected 0, got 0) :: [ LOG ] :: Duration: 3m 9s :: [ LOG ] :: Assertions: 15 good, 0 bad :: [ PASS ] :: RESULT: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1259.html |