Bug 1505925
| Summary: | kdc segfault in openldap libs when ipa-server is installed and custom pkinit is configured | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.5 | CC: | abokovoy, cheimes, frenaud, mkosek, myusuf, ndehadra, pasik, pkis, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.6.4-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:57:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
ldap_initialize is called with url=0x1 which is a wrong address. In ipadb_get_connection, ipactx contains quite some garbage, including ipactx->uri later passed as url to the ldap_initialize. The ipadb_get_connection was actually called with garbled ipactx. So it is also with ipadb_check_connection, ipadb_simple_search, ipa_get_init_data, down to a call at ipa_kdb_certauth.c:133 to ipadb_get_context which returns wrong ipactx. Then, up the hill, it gets to krb5_db_get_context in kdb5.c where some KRB5_* macro gets into the game. I did not follow farther, IPA devs might orient better here. Hope this makes sense. When ipa-server package is installed, the file /etc/krb5.conf.d/ipa-certauth is installed on the machine. The default file /etc/krb5.conf contains the "includedir /etc/krb5.conf.d/" statement that ensures all config files in this path are read -> /etc/krb5.conf.d/ipa-certauth is used even though IPA is not installed. The file /etc/krb5.conf.d/ipa-certauth defines the ipadb.so plugin, which gets called on krb5 hooks. The issue is that the methods defined in ipa_kdb_certauth.c do not check if IPA is installed before execution and probably lack some initialization. Seems to happen because ipadb contains two plugins: kdb backend and certauth plugin at the same time. We definitely need to protect certauth from not using IPA LDAP codepath when IPA is not initialized:
9 ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470,
basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2,
filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))",
attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176
#10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0)
at ipa_kdb_certauth.c:160
Notice basedn, this is clearly a missing check on constructing basedn.
Upstream ticket: https://pagure.io/freeipa/issue/7261 Fixes have landed in master, 4.6 and 4.5 branch of upstream:
master:
ec228f4 ipa-kdb: use magic value to check if ipadb is used
ipa-4-6:
ebb89eb ipa-kdb: use magic value to check if ipadb is used
ipa-4-5:
f7629b3 ipa-kdb: use magic value to check if ipadb is used
Flo, please backport the fix to RHEL 7 package. (In reply to Christian Heimes from comment #10) > Fixes have landed in master, 4.6 and 4.5 branch of upstream: This should translate in POST state, rather then MODIFIED then. version:
ipa-server-4.6.4-5.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
krb5-pkinit-1.15.1-34.el7.x86_64
krb5-workstation-1.15.1-34.el7.x86_64
Steps:
1. Install ipa-server package and make sure certauth plugin points to ipadb.so
# cat /etc/krb5.conf.d/ipa-certauth
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
2. Do not setup ipa server, just create certs and set up KDC with pkinit
For generating kdc client and ca certs, https://github.com/freeipa/freeipa-tools/raw/master/makepki.py is used. Script will create directory "pki" and certs can be found in it.
$ cp pki/ca1/client-kdc.crt /var/kerberos/krb5kdc/kdc.pem
$ cp pki/ca1/client-kdc.key /var/kerberos/krb5kdc/kdckey.pem
$ cp pki/ca1/client.crt /etc/krb5/client.pem
$ cp pki/ca1/client.key /etc/krb5/clientkey.pem
$ cp pki/ca1.crt /etc/krb5/cacert.pem
$ cp pki/ca1.crt /var/kerberos/krb5kdc/cacert.pem
# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/krb5/cacert.pem
pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
3. $ kdb5_util create -s
4. Configure a principal with preath required.
$ kadmin.local -q "addprinc +requires_preauth user"
5. $ systemctl start krb5kdc.service and
$ systemctl start kadmin.service
5. kinit user
Actual result:
make sure ipa is not configured but packages installed.
[root@master ~]# rpm -qa | grep ipa-server
tmp-ipa-server-rhel76-shared-20180705131021-0.noarch
ipa-server-common-4.6.4-5.el7.noarch
ipa-server-4.6.4-5.el7.x86_64
[root@master ~]# ipa help topics
IPA client is not configured on this system
[root@master ~]# kinit test101
Password for test101:
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_7xxS34q
Default principal: test101
Valid starting Expires Service principal
08/17/2018 15:16:05 08/18/2018 15:16:01 krbtgt/EXAMPLE.COM
Expected result:
kinit success and no segfault.
Based on observations in https://bugzilla.redhat.com/show_bug.cgi?id=1505925#c15 , marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |
Description of problem: kdc segfault was observed when the certauth plugin points to ipadb.so. It starts on RHEL-7.3 when ipa-server-4.5.0-20.el7 (from RHEL-7.4) is installed. Backtrace goes down from krb5 through ipa to openldap. Not sure is the issue is in openldap triggered by the ipa krb5 plugin or in the ipa plugin itself. As it is triggered by the ipa-server plugin filing it for ipa now, but feel free to move it to the right component. Also tested on the latest builds, the issue is still there. #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 #1 0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0) at memory.c:637 #2 0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188 #3 0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3) at url.c:1293 #4 0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324 #5 0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1) at options.c:584 #6 0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>) at open.c:245 #7 0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399 #8 0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164 #9 ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176 #10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0) at ipa_kdb_certauth.c:160 #11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, cert=0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280 #12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, context=0x55f6dc452ef0) at pkinit_srv.c:367 #13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507 #14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209 #15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819 #16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190 #17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409 #18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947 #19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340) at event.c:1350 #20 event_process_active (base=<optimized out>) at event.c:1420 #21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621 #22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065 Version-Release number of selected component (if applicable): openldap-2.4.44-5.el7 krb5-server-1.15.1-8.el7 ipa-server-4.5.0-20.el7 How reproducible: always Steps to Reproduce: 1. Install ipa-server package and make sure certauth plugin points to ipadb.so # cat /etc/krb5.conf.d/ipa-certauth [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } 2. Do not setup ipa server, just create certs and set up KDC with pkinit # cat /etc/krb5.conf includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} EXAMPLE.COM = { pkinit_anchors = FILE:/etc/krb5/cacert.pem pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem kdc = kerberos.example.com admin_server = kerberos.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM # cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem kdc_ports = 88 kdc_tcp_ports = 88 [realms] EXAMPLE.COM = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } 3. Configure a principal with preath required and do kinit Actual results: kdc segfault Expected results: no segfault Additional info: #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 #1 0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0) at memory.c:637 #2 0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188 #3 0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3) at url.c:1293 #4 0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324 #5 0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1) at options.c:584 #6 0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>) at open.c:245 #7 0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399 #8 0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164 #9 ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176 #10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0) at ipa_kdb_certauth.c:160 #11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, cert=0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280 #12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, context=0x55f6dc452ef0) at pkinit_srv.c:367 #13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507 #14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209 #15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819 #16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190 #17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409 #18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947 #19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340) at event.c:1350 #20 event_process_active (base=<optimized out>) at event.c:1420 #21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621 #22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065 (gdb) bt f #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 No locals. #1 0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0) at memory.c:637 p = <optimized out> len = <optimized out> #2 0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188 res = <optimized out> str = <optimized out> s = <optimized out> lasts = 0x7ffe7082824f "" i = <optimized out> #3 0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3) at url.c:1293 i = <optimized out> rc = <optimized out> ludp = 0x28 urls = <optimized out> __PRETTY_FUNCTION__ = "ldap_url_parselist_int" #4 0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324 No locals. #5 0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1) at options.c:584 urls = 0x1 <Address 0x1 out of bounds> ludlist = 0x0 lo = 0x55f6dc4479e0 dbglvl = 0x0 rc = 0 __PRETTY_FUNCTION__ = "ldap_set_option" #6 0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>) at open.c:245 rc = <optimized out> ld = 0x55f6dc442b30 #7 0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399 tv = {tv_sec = 5, tv_usec = 0} res = 0x0 first = <optimized out> ret = <optimized out> v3 = 22006 #8 0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164 No locals. #9 ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176 ret = <optimized out> #10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0) at ipa_kdb_certauth.c:160 ret = <optimized out> prio = 32766 ipactx = 0x55f6dc452470 result = 0x0 le = <optimized out> ctx = 0x0 kerr = <optimized out> c = <optimized out> match_rule = 0x0 domains = 0x0 certmap_attrs = {0x7fefc3e2a6f8 "objectClass", 0x7fefc3e2b990 "ipaCertMapPriority", 0x7fefc3e2b9a3 "ipaCertMapMatchRule", 0x7fefc3e2b9b7 "ipaCertMapMapRule", ---Type <return> to continue, or q <return> to quit--- 0x7fefc3e2b9c9 "associatedDomain", 0x7fefc3e2b9da "ipaEnabledFlag", 0x0} basedn = 0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal" lc = <optimized out> map_rule = 0x0 #11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, cert=0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280 cert_filter = 0x0 domains = 0x0 ret = <optimized out> c = <optimized out> principal = 0x0 auth_inds = 0x0 res = 0x0 kerr = <optimized out> lentry = 0x0 #12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, context=0x55f6dc452ef0) at pkinit_srv.c:367 opts = {cb = 0x55f6da9d9020 <callbacks>, rock = 0x55f6dc4550c0, plgctx = 0x55f6dc425d30, reqctx = 0x55f6dc43cab0} cert = 0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t" ais = 0x0 ret = <optimized out> h = 0x55f6dc439f30 db_ent = 0x0 ai = <optimized out> accepted = 0 i = <optimized out> cert_len = 886 #13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507 retval = 0 authp_data = {magic = 0, length = 943, data = 0x55f6dc443450 "0\202\003\253\240<0:\240\005\002\003\001\036s\241\021\030\017\062\060\061\067\061\060\062\064\061\064\063\062\065\063Z\242\006\002\004\031\336My\243\026\004\024\001\362T\020\274eo\036H\202x\355\071\215)\035\314\307\346ݡ\202\003+0\202\003'0\202\002\031\006\a*\206H\316>\002\001\060\202\002\f\002\202\001\001"} krb5_authz = {magic = 0, length = 504, data = 0x55f6dc4480c0 "0\202\001\364\060\202\001\004\200o0m1\v0\t\006\003U\004\006\023\002CZ1\020\060\016\006\003U\004\b\f\aMoravia1\r0\v\006\003U\004\a\f\004Brno1\031\060\027\006\003U\004\n\f\020DummyCompany Ltd1\022\060\020\006\003U\004\v\f\tdummyunit1\016\060\f\006\003U\004\003\f\005alice\201y0w0j1\v0\t\006\003U\004\006\023\002CZ1\020\060\016\006\003U\004\b\f\aMoravia1\r0\v\006\003U\004\a\f\004Brno1\031\060\027\006\003U\004\n\f\020DummyCompany Ltd"...} reqp = 0x55f6dc43eac0 reqp9 = 0x0 auth_pack = 0x0 auth_pack9 = 0x0 plgctx = 0x55f6dc425d30 reqctx = 0x55f6dc43cab0 cksum = {magic = 0, checksum_type = 0, length = 0, contents = 0x0} der_req = 0x0 k5data = {magic = 32, length = 2495, data = 0x55f6dc4543d0 "0\202\t\273\200\202\b\305\060\202\b\301\006\t*\206H\206\367\r\001\a\002\240\202\b\262\060\202\b\256\002\001\003\061\v0\t\006\005+\016\003\002\032\005"} is_signed = 1 e_data = 0x0 modreq = 0x0 sp = <optimized out> #14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209 __PRETTY_FUNCTION__ = "next_padata" #15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, ---Type <return> to continue, or q <return> to quit--- respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819 errcode = <optimized out> s_flags = <optimized out> encoded_req_body = {magic = 4, length = 151, data = 0x55f6dc455ccc "0\201\224\240\a\003\005"} useenctype = <optimized out> au_state = 0x55f6dc43c6d0 #16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190 retval = <optimized out> as_req = 0x55f6dc4542c0 response = 0x0 kdc_err_context = 0x55f6dc402200 #17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409 local_saddrlen = 16 local_saddrp = <optimized out> state = 0x55f6dc43b170 conn = <optimized out> nread = <optimized out> len = 2719 #18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947 priv = <optimized out> __PRETTY_FUNCTION__ = "verto_fire" #19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340) at event.c:1350 ev = 0x55f6dc453730 count = 1 #20 event_process_active (base=<optimized out>) at event.c:1420 activeq = 0x55f6dc425770 i = 1 c = 0 #21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621 evsel = 0x7fefc4f1bbe0 <epollops> tv = {tv_sec = 94518715951064, tv_usec = 94515050315781} tv_p = <optimized out> res = <optimized out> done = 0 retval = 0 __func__ = "event_base_loop" #22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065 retval = <optimized out> kcontext = 0x55f6dc402200 realm = <optimized out> ctx = 0x55f6dc415a20 tcp_listen_backlog = 5 i = <optimized out>