Bug 1875001
Summary: | It is not possible to edit KDC database when the FreeIPA server is running | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Filip Dvorak <fdvorak> |
Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.3 | CC: | abokovoy, ksiddiqu, ndehadra, pasik, pcech, pvoborni, rcritten, ssidhaye, tscherf |
Target Milestone: | rc | Keywords: | TestCaseProvided, Triaged |
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.9.0-0.1.rc1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 15:48:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Filip Dvorak
2020-09-02 17:48:52 UTC
(For ease of debugging, this can also be observed using `kadmin.local getprincs`.) Unfortunately I don't have a patch, but here's my notes. - kadmin.local translates getprincs into iteration for '*' - ipadb_iterate gets called for match_entry '*' - ipadb_fetch_principals gets called, with principal '*' - that shim turns into ipadb_fetch_principals_with_Extr_filter: filter is NULL, principal is '*' -> esc_original_princ is * -> src_filter is "(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=*)))" - ipadb_simple_search gets called with filter ^ - ... into ldap_search_ext_s - ... into ldap_pvt_search, which returns -7 and that error code is propogated back up. While we don't support editing the KDB through kadmin.local, we do need getprincs/getprinc to work - i.e., read-only accces - for our testing scripts (including what Filip runs for our QE). I can reproduce this with a simple ldapsearch and the error happens in openldap's libldap where it cannot parse the filter if that one includes '*' in the 'krbprincipalname:caseIgnoreIA5Match:=*' term. # ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA-TEST.socket '(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=*)))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <dc=ipa,dc=test> (default) with scope subtree # filter: (&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=*))) # requesting: ALL # ldap_search_ext: Bad search filter (-7) If I'd replace the last '*' with any other value, it matches: # ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA-TEST.socket '(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=admin)))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <dc=ipa,dc=test> (default) with scope subtree # filter: (&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=admin))) # requesting: ALL # ... # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 RFC 4515 section 3 defines the value used to assert as AssertionValue from https://tools.ietf.org/html/rfc4511#section-4.1.6: assertionvalue = valueencoding ; The <valueencoding> rule is used to encode an <AssertionValue> ; from Section 4.1.6 of [RFC4511]. valueencoding = 0*(normal / escaped) normal = UTF1SUBSET / UTFMB escaped = ESC HEX HEX UTF1SUBSET = %x01-27 / %x2B-5B / %x5D-7F ; UTF1SUBSET excludes 0x00 (NUL), LPAREN, ; RPAREN, ASTERISK, and ESC. EXCLAMATION = %x21 ; exclamation mark ("!") AMPERSAND = %x26 ; ampersand (or AND symbol) ("&") ASTERISK = %x2A ; asterisk ("*") COLON = %x3A ; colon (":") VERTBAR = %x7C ; vertical bar (or pipe) ("|") TILDE = %x7E ; tilde ("~") Note that although both the <substring> and <present> productions in the grammar above can produce the "attr=*" construct, this construct is used only to denote a presence filter. The <valueencoding> rule ensures that the entire filter string is a valid UTF-8 string and provides that the octets that represent the ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits representing the value of the encoded octet. If I'd use '%x2A' instead of the asterisk in the filter, it returns me all expected values: # ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA-TEST.socket '(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=%x2A)))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <dc=ipa,dc=test> (default) with scope subtree # filter: (&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=%x2A))) # requesting: ALL # ... # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 Upstream ticket: https://pagure.io/freeipa/issue/8490 Fixed upstream master: https://pagure.io/freeipa/c/d00106b34de231bc67cdee904dbdccc21c8fcbc6 https://pagure.io/freeipa/c/ba1a7b97c192221af8f4823b82ea1bcf9a2b491c Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/ec8a560392c89da96a805e9779eaa2041dd992c1 https://pagure.io/freeipa/c/f316d0118b8b00207e8d005f20d5de837c46a220 Test in ipatests/test_ipaserver/test_kadmin.py::TestKadmin::test_getprincs Verified based on following info Snip from runner.log for IPA Version: ------------------------------------ 2020-12-17T14:33:33+0000 TASK [List installed IPA packages version] ************************************* 2020-12-17T14:33:34+0000 ok: [master.testrelm.test] => (item=ipa-server) => 2020-12-17T14:33:34+0000 msg: 2020-12-17T14:33:34+0000 - arch: x86_64 2020-12-17T14:33:34+0000 epoch: null 2020-12-17T14:33:34+0000 name: ipa-server 2020-12-17T14:33:34+0000 release: 0.5.rc3.module+el8.4.0+9124+ced20601 2020-12-17T14:33:34+0000 source: rpm 2020-12-17T14:33:34+0000 version: 4.9.0 Snip from test-result.xt: ------------------------- Test "ipatests/test_ipaserver/test_kadmin.py::TestKadmin::test_getprincs" for this bugzilla is successful as per following details from the test run. ============================= test session starts ============================== platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python cachedir: /home/cloud-user/.pytest_cache metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}} rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile: plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5 collecting ... collected 159 items .... ....... ...... test_ipaserver/test_kadmin.py::TestKadmin::test_create_keytab[service_in_kerberos_subtree] PASSED [ 16%] test_ipaserver/test_kadmin.py::TestKadmin::test_create_keytab[service_in_service_subtree] PASSED [ 17%] test_ipaserver/test_kadmin.py::TestKadmin::test_change_key[service_in_kerberos_subtree] PASSED [ 18%] test_ipaserver/test_kadmin.py::TestKadmin::test_change_key[service_in_service_subtree] PASSED [ 18%] test_ipaserver/test_kadmin.py::TestKadmin::test_append_key[service_in_kerberos_subtree] PASSED [ 19%] test_ipaserver/test_kadmin.py::TestKadmin::test_append_key[service_in_service_subtree] PASSED [ 20%] test_ipaserver/test_kadmin.py::TestKadmin::test_getprincs PASSED [ 20%] ..... test_ipaserver/test_install/test_service.py::test_format_seconds PASSED [100%] ---------------- generated xml file: /home/cloud-user/junit.xml ---------------- ----------- generated html file: file:///home/cloud-user/report.html ----------- =========================== short test summary info ============================ SKIP [1] /usr/lib/python3.6/site-packages/ipatests/test_ipaserver/test_ldap.py:96: No directory manager password in /root/.ipa/.dmpw SKIP [1] /usr/lib/python3.6/site-packages/ipatests/test_ipaserver/test_ldap.py:122: No directory manager password in /root/.ipa/.dmpw SKIP [1] test_ipaserver/test_ldap.py:249: Python 2 only SKIP [1] test_ipaserver/test_topology_plugin.py:35: You did not provide a .dmpw file with the DM password ============== 155 passed, 4 skipped, 6 warnings in 20.15 seconds ============== Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |