Bug 1151675

Summary: NSLCD WRAPS LDAP USER UIDNUMBER > 2^31 SO UID IS WRONG (AND A NEGATIVE NUMBER)
Product: Red Hat Enterprise Linux 7 Reporter: Luan Jianhai <jianhai.luan>
Component: nss-pam-ldapdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Martin Zelený <mzeleny>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: jhrozek, mkosek, mzeleny, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-pam-ldapd-0.8.13-16.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:24:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The patch to fix the issue. none

Description Luan Jianhai 2014-10-11 02:30:31 UTC 
Description of problem:
I found that  LDAP user accounts with a uidNumber greater than
2^31 experience PAM authentication failures. e.g. the following occurs when they try to authenticate:

[Mon Aug 18 09:56:35 2014] [error] [client aaa.bbb.ccc.ddd] PAM: user
'rohan_roy' - not authenticated: Authentication failure
[Mon Aug 18 10:49:04 2014] [error] [client aaa.bbb.ccc.ddd] PAM: user
'rohan_roy' - not authenticated: Authentication failure
[Mon Aug 18 11:52:57 2014] [error] [client aaa.bbb.ccc.ddd] PAM: user
'rohan_roy' - not authenticated: Authentication failure
[Mon Aug 18 11:53:09 2014] [error] [client aaa.bbb.ccc.ddd] PAM: user
'rohan_roy' - not authenticated: Authentication failure
[Mon Aug 18 11:53:50 2014] [error] [client aaa.bbb.ccc.ddd] PAM: user
'rohan_roy' - not authenticated: Authentication failure

# getent passwd rohan_roy
rohan_roy:x:2300000032:18010:Rohan
Roy:/Network/Servers/notapplicable.apple.com/vol/homedir3/rohan_roy:/bin/bash
ANALYSIS AND RESEARCH
---------------------
Local users with uidnumber > 2^31 work (works for customer, and I also tested
this). 

Version-Release number of selected component (if applicable):
  0.8.13-8

How reproducible:
  Create LDAP server, and authentic user by nss-pam-ldap will failure


Steps to Reproduce:
1. Create LDAP server, and Configure nss-pam-ldap to authentic user by ldap
2. Create user which uid larger than 2^31
3. Authentic will failure

Actual results:
  Failure to authentic the user which uid larger than 2^31

Expected results:
  Should to successful authentic the user which uid larger than 2^31

Additional info:
  uid_t/gid_t should be formatted as unsigned long
Comment 1 Luan Jianhai 2014-10-11 02:32:09 UTC 
Upstream have fix the issue, and the issue commit is: 78627c "uid_t/gid_t should be formatted as unsigned long"
Comment 2 Luan Jianhai 2014-10-11 02:34:25 UTC 
Created attachment 945894 [details]
The patch to fix the issue.
Comment 5 Jakub Hrozek 2016-02-09 04:54:25 UTC 
We do not plan on updating nss-pam-ldapd in 7.3 after all.
Comment 15 errata-xmlrpc 2018-04-10 17:24:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0935