Bug 923909
Summary: | 389-ds-base cannot handle Kerberos tickets with PAC | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Nathan Kinder <nkinder> | ||||||
Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Sankar Ramalingam <sramling> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 6.4 | CC: | edewata, jgalipea, jrusnack, lnovich, mkosek, mreynolds, nhosoi, nkinder, rcritten, rmeggins | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | 389-ds-base-1.2.11.15-22.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: |
Cause: Default sasl io buffer size was too small
Consequence: SASL connections could be refused
Fix: Increased the sasl io buffer size
Result: SASL connections are accepted.
|
Story Points: | --- | ||||||
Clone Of: | 923879 | Environment: | |||||||
Last Closed: | 2013-11-21 21:06:22 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 923879 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Nathan Kinder
2013-03-20 17:18:12 UTC
Upstream ticket: https://fedorahosted.org/389/ticket/632 Created attachment 733920 [details] git patch file 1 Bug Description: When FreeIPA is configured with AD trust support, Kerberos tickets may also contain PAC which makes them bigger than usually expected (bigger than 2048 B) Fix Description: Make the default 64k(65536), and allow it to be configurable using: nsslapd-sasl-max-buffer-size https://fedorahosted.org/389/ticket/632 Created attachment 733921 [details]
git patch file 2
Bug Description: After upgrading the server fails to start because the Root DN
access control plugin's entry changed to include nsslapd-Plugin
objectclass.
Fix Description: Update the schema to allow nsslapd-plugin-depends-on-type in
the nsslapdPlugin objectclass.
This bug opened during FreeIPA Test day seems related, but he hasn't configured trust: https://bugzilla.redhat.com/show_bug.cgi?id=953653 Please, add verification steps (for tet) - or will this be automated in FreeIPA ? We do not automate it in FreeIPA, we did not have issue with it in RHEL. In Fedora 19, the reproduction was simple: # yum install ipa-server ipa-server-trust-ad # ipa-server-install ... follow wizard to configure IPA server # ipa-adtrust-install ... crashed during the middle due to this buffer limitation (see Steps to reproduce bove) Mark, were you able to reproduce this issue outside of IPA? No, I was not able to. Testcase in schema/runschema. [jrusnack@dstet schema]$ grep "nsslapdPlugin" 01core389.ldif objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea ) X-ORIGIN 'Netscape Directory Server' ) [jrusnack@dstet schema]$ rpm -qa | grep 389 389-ds-base-debuginfo-1.2.11.15-22.el6.x86_64 389-ds-base-1.2.11.15-22.el6.x86_64 389-ds-base-libs-1.2.11.15-22.el6.x86_64 Tests failed - nsslapdPlugin does not contain nsslapd-plugin-depends-on-type. Hence putting back to ASSIGNED. [root@hp-dl380pgen8-02-vm-15 schema]# grep "nsslapdPlugin" 01core389.ldif objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea $ nsslapd-plugin-depends-on-type ) X-ORIGIN 'Netscape Directory Server' ) [root@hp-dl380pgen8-02-vm-15 schema]# rpm -qa 389-ds-base 389-ds-base-1.2.11.15-23.el6.i686 The latest build shows that the attribute "nsslapd-plugin-depends-on-type" exists in the schema. So, you can go ahead and flip the bugzilla back to Verified state. Marking verified as per comment https://bugzilla.redhat.com/show_bug.cgi?id=923909#c17 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1653.html |