Bug 1250154
Summary: | [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | |
Component: | krb5 | Assignee: | Robbie Harwood <rharwood> | |
Status: | CLOSED ERRATA | QA Contact: | Patrik Kis <pkis> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.1 | CC: | dpal | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | s390x | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | krb5-1.13.2-8.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1281725 (view as bug list) | Environment: | ||
Last Closed: | 2015-11-19 05:14:16 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Patrik Kis
2015-08-04 15:33:41 UTC
The problem also appears on ppc64le, so it probably has nothing to do with endianity. I'm posting a new description if the issue. Description of problem: On the following architectures (s390x, ppc64, ppc64le) kadmind does not accept ACL if the line in /var/kerberos/krb5kdc/kadm5.acl is not ending with EOL. Version-Release number of selected component (if applicable): krb5-1.13.2-4.el7 How reproducible: always Steps to Reproduce: # uname -p s390x # cat /var/kerberos/krb5kdc/kadm5.acl alice * # service kadmin start Redirecting to /bin/systemctl start kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy Principal "test" created. # kadmin -p alice -q 'delprinc -force test' Authenticating as principal alice with password. Password for alice: Principal "test" deleted. Make sure that you have removed this principal from all ACLs before reusing. # # # echo -n 'alice *' >/var/kerberos/krb5kdc/kadm5.acl # cat /var/kerberos/krb5kdc/kadm5.acl alice *# # service kadmin restart Redirecting to /bin/systemctl restart kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". The same test on x86_64: # uname -p x86_64 # echo -n 'alice *' >/var/kerberos/krb5kdc/kadm5.acl # cat /var/kerberos/krb5kdc/kadm5.acl alice *# # service kadmin restart Redirecting to /bin/systemctl restart kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy Principal "test" created. Taking and accepting bug... pkis: Just to verify: Are you sure that both big-endian ppc64 and little-endian ppc64 are affected ? If this is "true" then we can rule-out endian-related bugs and have to look at ABI/parser differences... (In reply to Roland Mainz from comment #4) > pkis: > Just to verify: Are you sure that both big-endian ppc64 and little-endian > ppc64 are affected ? If this is "true" then we can rule-out endian-related > bugs and have to look at ABI/parser differences... Double checked and yes, all RHEL-7.2 architectures are affected except x86_64. Including the new platforms, ppc64le and aarch64 (booth little endian). # uname -p x86_64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy Principal "test" created. # uname -p s390x # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". # uname -p ppc64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". # uname -p ppc64le # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". # uname -p aarch64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". (In reply to Patrik Kis from comment #5) > (In reply to Roland Mainz from comment #4) > > pkis: > > Just to verify: Are you sure that both big-endian ppc64 and little-endian > > ppc64 are affected ? If this is "true" then we can rule-out endian-related > > bugs and have to look at ABI/parser differences... > > Double checked and yes, all RHEL-7.2 architectures are affected except > x86_64. Including the new platforms, ppc64le and aarch64 (booth little > endian). OK... I have good news... and very very bad news: - good news: I tracked the issue in the parser down to a difference how the compiler handles |char| with |signed| vs. |unsigned| on the affected platforms vs. x86/AMD64 - bad news: Sun Studio lint(1) reports 38 more of these issues Fixed in krb5-1.13.2-8.el7 ... ... marking bug as MODIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html |