Bug 1281734

Summary: kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Marek Marusic <mmarusic>
Severity: low Docs Contact:
Priority: low    
Version: 6.8CC: dpal, jplans, mmarusic, nalin, pkis
Target Milestone: rcKeywords: EasyFix
Target Release: ---   
Hardware: s390   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.10.3-53.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1163402 Environment:
Last Closed: 2016-05-11 01:01:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2015-11-13 10:45:16 UTC 
The problem also exists in RHEL-6. Although it's only a cosmetic issue, it can be easily fixed so it would be a nice to have.

+++ This bug was initially created as a clone of Bug #1163402 +++

Description of problem:
This was discovered with upstream test t_kdb.py that is new on krb5-1.12 and I can imagine that it was not executed on big-endian architectures so far. But this is not a regression the same issue was observed on s390x and ppc64 on krb5-1.11 (rhel7.0) and krb5-1.10 (rhel6).

Version-Release number of selected component (if applicable):
krb5-1.10.3-45.el6

How reproducible:
always

Steps to Reproduce:

# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol
            Ticket policy: tktpol
      Maximum ticket life: 536870912 days 00:00:00
   Maximum renewable life: 1073741824 days 00:00:00
             Ticket flags: 
# 

It looks like the policy flags are correct in the database only they are not displayed (note the "krbTicketFlags" in the ldapsearch result below), so this is more less a cosmetic issue:

# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#

dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 10800
krbMaxRenewableAge: 21600
krbTicketFlags: 2

search: 2
result: 0 Success

# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" modify_policy -maxtktlife 4hour -maxrenewlife 8hour +requires_preauth tktpol
# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#

dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 14400
krbMaxRenewableAge: 28800
krbTicketFlags: 128

search: 2
result: 0 Success

# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol
            Ticket policy: tktpol
      Maximum ticket life: 715827882 days 16:00:00
   Maximum renewable life: 1431655765 days 08:00:00
             Ticket flags: 

Expected results:
On x86_64:

# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
[root@rhel70 LDAP-backend]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol
            Ticket policy: tktpol
      Maximum ticket life: 0 days 03:00:00
   Maximum renewable life: 0 days 06:00:00
             Ticket flags: DISALLOW_FORWARDABLE
Comment 10 errata-xmlrpc 2016-05-11 01:01:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0945.html