Bug 1251586
| Summary: | KDC sends multiple requests to ipa-otpd for the same authentication | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nathaniel McCallum <npmccallum> | |
| Component: | krb5 | Assignee: | Robbie Harwood <rharwood> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.1 | CC: | ddas, dpal, ekeck, npmccallum, nsoman, pkis, xdong | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | krb5-1.13.2-5.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1256870 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 05:14:19 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1256870 | |||
|
Description
Nathaniel McCallum
2015-08-07 19:57:39 UTC
Pls add steps to verify 1. Clean install of IPA. 2. Log in as admin: kinit admin 3. Add a radius server record (ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo). 4. DO NOT set up an actual radius server. We want the requests to time out. 5. Add a user: ipa user-add foo. 6. Set the user's password: ipa passwd foo 7. Configure user for radius: ipa user-mod foo --radius=foo --user-auth-type=radius 8. In another window, run: journalctl --follow 9. Authenticate as user foo. In the journalctl window, you should see only one request processed by ipa-otpd rather than four. Taking bug myself and switching to "assigned" ... (In reply to Nathaniel McCallum from comment #0) > The patch at the following link fixes the issue and has been submitted > upstream. > > https://github.com/krb5/krb5/pull/308 Sigh... ... npmccallum: Do you know any other places in krb5 territory which do a similar kind of retry for UDP which should not be used for reliable transports like TCP ? (In reply to Nathaniel McCallum from comment #0) > The patch at the following link fixes the issue and has been submitted > upstream. > > https://github.com/krb5/krb5/pull/308 Patch OK, r=rmainz for https://github.com/krb5/krb5/commit/25e0656fdf9862faf9aa91288023776e9a47caad No. This arose precisely because of the radius code as part of the OTP project. Patch checked-in (krb5-1.13.2-5.el7) ... ... marking bug as MODIFIED. Verified based on Comment 3: [root@ibm-x3650m4-01-vm-03 ~]# rpm -q krb5-server ipa-server krb5-server-1.12.2-15.el7_1.x86_64 ipa-server-4.1.0-18.el7_1.4.x86_64 [root@ibm-x3650m4-01-vm-03 ~]# ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo Secret: Enter Secret again to verify: ------------------------------- Added RADIUS proxy server "foo" ------------------------------- RADIUS proxy server name: foo Server: localhost.localdomain Secret: MQ== Retries: 0 [root@ibm-x3650m4-01-vm-03 ~]# ipa user-add foo First name: foo Last name: foo ---------------- Added user "foo" ---------------- User login: foo First name: foo Last name: foo Full name: foo foo Display name: foo foo Initials: ff Home directory: /home/foo GECOS: foo foo Login shell: /bin/sh Kerberos principal: foo Email address: foo UID: 1143400001 GID: 1143400001 Password: False Member of groups: ipausers Kerberos keys available: False [root@ibm-x3650m4-01-vm-03 ~]# ipa passwd foo New Password: Enter New Password again to verify: ---------------------------------------- Changed password for "foo" ---------------------------------------- [root@ibm-x3650m4-01-vm-03 ~]# ipa user-mod foo --radius=foo --user-auth-type=radius ------------------- Modified user "foo" ------------------- User login: foo First name: foo Last name: foo Home directory: /home/foo Login shell: /bin/sh Email address: foo UID: 1143400001 GID: 1143400001 Account disabled: False User authentication types: radius RADIUS proxy configuration: foo Password: True Member of groups: ipausers Kerberos keys available: True [root@ibm-x3650m4-01-vm-03 ~]# journalctl --follow . . . Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_unix(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=...ser=foo Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: request received Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: user query start Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: user query end: uid=foo,cn=users,cn=accounts,dc=testrelm,dc=test Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: radius query start: cn=foo,cn=radiusproxy,dc=testrelm,dc=test Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: radius query end: localhost.localdomain Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: forward start: foo / localhost.localdomain Sep 04 15:11:37 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393897.402594] [devices/nm-device.c:2303] activation_source...eduled Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=p...ser=foo Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): received for user foo: 17 (Failure setting user credentials) Sep 04 15:11:43 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: FAILED SU (to foo) root on pts/0 Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: forward end: Connection timed out Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: response sent: Access-Reject Sep 04 15:12:03 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393923.451953] [devices/nm-device.c:2303] activation_source...eduled Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html |