Bug 1163402
| Summary: | kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | |
| Component: | krb5 | Assignee: | Robbie Harwood <rharwood> | |
| Status: | CLOSED ERRATA | QA Contact: | Patrik Kis <pkis> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.1 | CC: | dpal | |
| Target Milestone: | rc | Keywords: | EasyFix | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | krb5-1.13.2-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1281734 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 05:12:56 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Fixed by rebase to krb5 1.13.2 - see krb5-1.13.2-1.el7 ... ... marking bug as MODIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html |
Description of problem: This was discovered with upstream test t_kdb.py that is new on krb5-1.12 and I can imagine that it was not executed on big-endian architectures so far. But this is not a regression the same issue was observed on s390x and ppc64 on krb5-1.11 (rhel7.0) and krb5-1.10 (rhel6). Version-Release number of selected component (if applicable): krb5-1.11.3-49.el7 How reproducible: always Steps to Reproduce: Either run the upstream test suite and the test t_kdb.py should fail (make sure openldap is installed) or manually create a test realm with LDAP database backend, then: [root@rhel7]# rpm -q krb5-libs krb5-libs-1.12.2-8.el7.s390x [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol Ticket policy: tktpol Maximum ticket life: 536870912 days 00:00:00 Maximum renewable life: 1073741824 days 00:00:00 Ticket flags: [root@rhel7]# It looks like the policy flags are correct in the database only they are not displayed (note the "krbTicketFlags" in the ldapsearch result below), so this is more less a cosmetic issue: [root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\# dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com cn: tktpol objectClass: krbTicketPolicy objectClass: krbTicketPolicyAux krbMaxTicketLife: 10800 krbMaxRenewableAge: 21600 krbTicketFlags: 2 search: 2 result: 0 Success [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" modify_policy -maxtktlife 4hour -maxrenewlife 8hour +requires_preauth tktpol [root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\# dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com cn: tktpol objectClass: krbTicketPolicy objectClass: krbTicketPolicyAux krbMaxTicketLife: 14400 krbMaxRenewableAge: 28800 krbTicketFlags: 128 search: 2 result: 0 Success [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol Ticket policy: tktpol Maximum ticket life: 715827882 days 16:00:00 Maximum renewable life: 1431655765 days 08:00:00 Ticket flags: [root@rhel7]# Expected results: On x86_64 and ppc64le: # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol [root@rhel70 LDAP-backend]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol Ticket policy: tktpol Maximum ticket life: 0 days 03:00:00 Maximum renewable life: 0 days 06:00:00 Ticket flags: DISALLOW_FORWARDABLE