Bug 694208

Summary: krb5 backed by ldap performing excessive reference count during kinit throws error result: 11 Administrative limit exceeded
Product: [Fedora] Fedora Reporter: Jr Aquino <jr.aquino>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 14CC: nalin, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 1.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-07 11:41:56 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jr Aquino 2011-04-06 14:07:45 EDT
Description of problem:
krb5 backed by ldap performing excessive reference count during kinit throws error result: 11 Administrative limit exceeded
When kinit is called, a reference count is performed which looks for all objects which the kerberos policy is applied.  This is causing problems when the ldap return limit is set and a greater number of users exist to return.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install and configure krb5kdc with the ldap backend
2. set an ns-slapd ldap search result limit greater than the number of users present
3. attempt to kinit a user.
Actual results:
#kinit username
kinit: Generic error (see e-text) while getting initial credentials

/var/log/krb5kdc.log: Apr 06 11:06:03 auth1.example.com krb5kdc[26469](info): AS_REQ (4 etypes {18 17 16 23}) LOOKING_UP_CLIENT: username@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Administrative limit exceeded

Expected results:
Successful kinit

Additional info:
Comment 1 Rob Crittenden 2011-04-06 14:11:57 EDT
389-ds logged the query as:

SRCH base="dc=example,dc=com" scope=2 filter="(krbPwdPolicyReference=cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=expertcity,dc=com)" attrs="krbPwdPolicyReference"

It looks like a reference counter function, krb5_ldap_get_reference_count(), is the culprit. 

It looks like the 2 callers just want the result to be non-zero so we don't need an exact count. I think it should be enough to catch limit errors and return success (and a count of 1).
Comment 2 Jr Aquino 2011-04-07 11:41:56 EDT
This problem appears to be resolved in version 1.9 / FC15

I would be interested in understanding the delta that fixed this in 1.9, but this ticket can now be closed as the 'supported' version of the kdc + ldap doesn't have this issue.