Bug 1250154
| Summary: | [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | |
| Component: | krb5 | Assignee: | Robbie Harwood <rharwood> | |
| Status: | CLOSED ERRATA | QA Contact: | Patrik Kis <pkis> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.1 | CC: | dpal | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | s390x | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | krb5-1.13.2-8.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1281725 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 05:14:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
The problem also appears on ppc64le, so it probably has nothing to do with endianity. I'm posting a new description if the issue. Description of problem: On the following architectures (s390x, ppc64, ppc64le) kadmind does not accept ACL if the line in /var/kerberos/krb5kdc/kadm5.acl is not ending with EOL. Version-Release number of selected component (if applicable): krb5-1.13.2-4.el7 How reproducible: always Steps to Reproduce: # uname -p s390x # cat /var/kerberos/krb5kdc/kadm5.acl alice * # service kadmin start Redirecting to /bin/systemctl start kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy Principal "test" created. # kadmin -p alice -q 'delprinc -force test' Authenticating as principal alice with password. Password for alice: Principal "test" deleted. Make sure that you have removed this principal from all ACLs before reusing. # # # echo -n 'alice *' >/var/kerberos/krb5kdc/kadm5.acl # cat /var/kerberos/krb5kdc/kadm5.acl alice *# # service kadmin restart Redirecting to /bin/systemctl restart kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". The same test on x86_64: # uname -p x86_64 # echo -n 'alice *' >/var/kerberos/krb5kdc/kadm5.acl # cat /var/kerberos/krb5kdc/kadm5.acl alice *# # service kadmin restart Redirecting to /bin/systemctl restart kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy Principal "test" created. Taking and accepting bug... pkis: Just to verify: Are you sure that both big-endian ppc64 and little-endian ppc64 are affected ? If this is "true" then we can rule-out endian-related bugs and have to look at ABI/parser differences... (In reply to Roland Mainz from comment #4) > pkis: > Just to verify: Are you sure that both big-endian ppc64 and little-endian > ppc64 are affected ? If this is "true" then we can rule-out endian-related > bugs and have to look at ABI/parser differences... Double checked and yes, all RHEL-7.2 architectures are affected except x86_64. Including the new platforms, ppc64le and aarch64 (booth little endian). # uname -p x86_64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy Principal "test" created. # uname -p s390x # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". # uname -p ppc64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". # uname -p ppc64le # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". # uname -p aarch64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice: WARNING: no policy specified for test; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test". (In reply to Patrik Kis from comment #5) > (In reply to Roland Mainz from comment #4) > > pkis: > > Just to verify: Are you sure that both big-endian ppc64 and little-endian > > ppc64 are affected ? If this is "true" then we can rule-out endian-related > > bugs and have to look at ABI/parser differences... > > Double checked and yes, all RHEL-7.2 architectures are affected except > x86_64. Including the new platforms, ppc64le and aarch64 (booth little > endian). OK... I have good news... and very very bad news: - good news: I tracked the issue in the parser down to a difference how the compiler handles |char| with |signed| vs. |unsigned| on the affected platforms vs. x86/AMD64 - bad news: Sun Studio lint(1) reports 38 more of these issues Fixed in krb5-1.13.2-8.el7 ... ... marking bug as MODIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html |
Description of problem: After krb5 rebase there is anew piece of upstream test code that fails on s390x and ppc64 and pass on x86_64 (plan to test on aarch64 and ppc64le too). The fails also without the downstream patches. The new part of the test that fails is in src/tests/t_pkinit.py: # Test anonymous kadmin. f = open(os.path.join(realm.testdir, 'acl'), 'a') f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') f.close() realm.start_kadmind() out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) if 'created.' not in out: fail('Could not create principal with anonymous kadmin') out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) if "Operation requires ``get'' privilege" not in out: fail('Anonymous kadmin has too much privilege') realm.stop_kadmind() Version-Release number of selected component (if applicable): krb5-1.13.2-4.el7 How reproducible: always Steps to Reproduce: # PYTHONPATH=../util VALGRIND="" python ./t_pkinit.py -v *** [1] Executing: /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util create -W -s -P master Loading random data Initializing database '/usr/local/var/krb5kdc/principal' for realm 'KRBTEST.COM', master key name 'K/M' *** [1] Completed with return code 0 *** [2] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw user11345 user WARNING: no policy specified for user; defaulting to no policy Authenticating as principal root/admin with password. Principal "user" created. *** [2] Completed with return code 0 *** [3] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw admin11345 user/admin WARNING: no policy specified for user/admin; defaulting to no policy Authenticating as principal root/admin with password. Principal "user/admin" created. *** [3] Completed with return code 0 *** [4] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey host/ibm-z10-46.rhts.eng.bos.redhat.com WARNING: no policy specified for host/ibm-z10-46.rhts.eng.bos.redhat.com; defaulting to no policy Authenticating as principal root/admin with password. Principal "host/ibm-z10-46.rhts.eng.bos.redhat.com" created. *** [4] Completed with return code 0 *** [5] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q ktadd -k /root/krb5-1.13.2/src/tests/testdir/keytab -norandkey host/ibm-z10-46.rhts.eng.bos.redhat.com Authenticating as principal root/admin with password. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. *** [5] Completed with return code 0 *** [6] Starting: /root/krb5-1.13.2/src/kdc/krb5kdc -n krb5kdc: starting... *** [6] Started with pid 11351 *** [7] Executing: ./responder -r password=user11345 user *** [7] Completed with return code 0 *** [8] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit user Password for user: *** [8] Completed with return code 0 *** [9] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache Default principal: user Valid starting Expires Service principal 08/04/15 11:28:50 08/05/15 11:28:50 krbtgt/KRBTEST.COM *** [9] Completed with return code 0 *** [10] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com host/ibm-z10-46.rhts.eng.bos.redhat.com: kvno = 1 *** [10] Completed with return code 0 *** [11] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM kinit: Client 'WELLKNOWN/ANONYMOUS' not found in Kerberos database while getting initial credentials *** [11] Completed with return code 1 *** [12] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey WELLKNOWN/ANONYMOUS WARNING: no policy specified for WELLKNOWN/ANONYMOUS; defaulting to no policy Authenticating as principal user/admin with password. Principal "WELLKNOWN/ANONYMOUS" created. *** [12] Completed with return code 0 *** [13] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM *** [13] Completed with return code 0 *** [14] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 08/04/15 11:28:50 08/05/15 11:28:50 krbtgt/KRBTEST.COM *** [14] Completed with return code 0 *** [15] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com host/ibm-z10-46.rhts.eng.bos.redhat.com: kvno = 1 *** [15] Completed with return code 0 *** [16] Starting: /root/krb5-1.13.2/src/kadmin/server/kadmind -nofork -W -p /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util -K /root/krb5-1.13.2/src/slave/kprop -F /root/krb5-1.13.2/src/tests/testdir/dump kadmind: starting... *** [16] Started with pid 11361 *** [17] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin -n -q addprinc -pw test testadd WARNING: no policy specified for testadd; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "testadd". Authenticating as principal WELLKNOWN/ANONYMOUS with password; anonymous requested. *** [17] Completed with return code 0 *** Failure: Could not create principal with anonymous kadmin Use --debug=NUM to run a command under a debugger. Use --stop-after=NUM to stop after a daemon is started in order to attach to it with a debugger. Use --help to see other options.