1170272 – [RFE] Add LocalAuth plugin API

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1170272 - [RFE] Add LocalAuth plugin API

Summary: [RFE] Add LocalAuth plugin API

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	6.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Roland Mainz
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1168357 1175494 1197176
TreeView+	depends on / blocked

Reported:	2014-12-03 16:27 UTC by Martin Kosek
Modified:	2015-09-08 17:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:	krb5-1.10.3-34.el6
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-22 07:36:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1410	0	normal	SHIPPED_LIVE	krb5 bug fix and enhancement update	2015-07-20 18:06:55 UTC

Description Martin Kosek 2014-12-03 16:27:17 UTC

Description of problem:

MIT Kerberos LocalAuth API was commited upstream (https://github.com/krb5/krb5/commit/4216fb5b0e0abb80a3ccd8251abddc18435d81f3) and released in version 1.12. The API should be also made available in RHEL 6 so that SSSD can leverage it for it's plugin (Bug 1168357) allowing seamless authentication of Active Directory users to Linux IdM clients.

Version-Release number of selected component (if applicable):
krb5-server-1.10.3-33.el6.x86_64

Comment 1 Martin Kosek 2014-12-03 16:29:37 UTC

It was decide for this change to come via backport and not via rebase. See details in Bug 1168351.

Comment 3 Jakub Hrozek 2015-02-18 19:44:10 UTC

Roland, any estimate on the backport? We need the API in order to enable the localauth plugin in SSSD.

I guess any time before the 6.7 devel freeze is fine, but the sooner the better..

Comment 6 Roland Mainz 2015-02-26 15:00:57 UTC

Taking myself...

Comment 7 Roland Mainz 2015-02-27 17:50:24 UTC

git commit+push done, builds done:
-- snip --
Counting objects: 24, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 23.43 KiB | 0 bytes/s, done.
Total 4 (delta 2), reused 0 (delta 0)
remote: *** Checking commit 41615ddd3c006b6545e54af96d0c2d01e0a97acc
remote: *** Resolves:
remote: ***   Approved:
remote: ***     rhbz#1170272 (rhel-6.7.0+, pm_ack+)
remote: *** Commit 41615ddd3c006b6545e54af96d0c2d01e0a97acc allowed
To ssh://rmainz.redhat.com/rpms/krb5
   f5fabfd..41615dd  rhel-6.7 -> rhel-6.7
[test001@dhcp-80-169 krb5]$ time rhpkg build
warning: bogus date in %changelog: Fri Jun 19 2014 Nalin Dahyabhai <nalin> 1.10.3-24
warning: bogus date in %changelog: Mon Sep 26 1999 Nalin Dahyabhai <nsdahya1.edu>
warning: bogus date in %changelog: Mon Jun 22 1999 Nalin Dahyabhai <nsdahya1.edu>

Building krb5-1.10.3-34.el6 for rhel-6.7-candidate
Created task: 8791139
Task info: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=8791139
Watching tasks (this may be safely interrupted)...
8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): free
8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): free -> open (x86-029.build.eng.bos.redhat.com)
  8791140 buildSRPMFromSCM (/rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): open (x86-029.build.eng.bos.redhat.com)
  8791140 buildSRPMFromSCM (/rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): open (x86-029.build.eng.bos.redhat.com) -> closed
  0 free  1 open  1 done  0 failed
  8791145 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc): free
  8791146 buildArch (krb5-1.10.3-34.el6.src.rpm, s390): free
  8791149 buildArch (krb5-1.10.3-34.el6.src.rpm, i686): free
  8791148 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc64): free
  8791150 buildArch (krb5-1.10.3-34.el6.src.rpm, s390x): free
  8791147 buildArch (krb5-1.10.3-34.el6.src.rpm, x86_64): free
  8791146 buildArch (krb5-1.10.3-34.el6.src.rpm, s390): free -> open (s390-011.build.bos.redhat.com)
  8791150 buildArch (krb5-1.10.3-34.el6.src.rpm, s390x): free -> open (s390-001.build.bos.redhat.com)
  8791145 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc): free -> open (ppc-002.build.bos.redhat.com)
  8791147 buildArch (krb5-1.10.3-34.el6.src.rpm, x86_64): free -> open (x86-027.build.eng.bos.redhat.com)
  8791148 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc64): free -> open (ppc-003.build.bos.redhat.com)
  8791149 buildArch (krb5-1.10.3-34.el6.src.rpm, i686): free -> open (x86-026.build.eng.bos.redhat.com)
  8791146 buildArch (krb5-1.10.3-34.el6.src.rpm, s390): open (s390-011.build.bos.redhat.com) -> closed
  0 free  6 open  2 done  0 failed
  8791150 buildArch (krb5-1.10.3-34.el6.src.rpm, s390x): open (s390-001.build.bos.redhat.com) -> closed
  0 free  5 open  3 done  0 failed
  8791147 buildArch (krb5-1.10.3-34.el6.src.rpm, x86_64): open (x86-027.build.eng.bos.redhat.com) -> closed
  0 free  4 open  4 done  0 failed
  8791149 buildArch (krb5-1.10.3-34.el6.src.rpm, i686): open (x86-026.build.eng.bos.redhat.com) -> closed
  0 free  3 open  5 done  0 failed
  8791145 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc): open (ppc-002.build.bos.redhat.com) -> closed
  0 free  2 open  6 done  0 failed
  8791148 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc64): open (ppc-003.build.bos.redhat.com) -> closed
  0 free  1 open  7 done  0 failed
  8791188 tagBuild (noarch): open (x86-022.build.eng.bos.redhat.com)
  8791188 tagBuild (noarch): open (x86-022.build.eng.bos.redhat.com) -> closed
  0 free  1 open  8 done  0 failed
8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): open (x86-029.build.eng.bos.redhat.com) -> closed
  0 free  0 open  9 done  0 failed

8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc) completed successfully
-- snip --

Comment 9 Patrik Kis 2015-03-11 16:01:47 UTC

This fix introduced this regression. I'm not sure how serious the issue is, so posting the details here. The issue was not present with 1.10.3-33.el6.
If this is not a real bug, feel free to assign the bug report back to ON_QA.

[root@rhel60 ~]# rpm -q krb5-libs
krb5-libs-1.10.3-34.el6.x86_64
# kinit alice
Password for alice: 
#
# cat > gss.supp
{
krb5_matchpathcon
Memcheck:Leak
...
fun:matchpathcon
...
}
#
# valgrind --suppressions=gss.supp --leak-check=yes gss-server -once -verbose host
==18821== Memcheck, a memory error detector
==18821== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==18821== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==18821== Command: gss-server -once -verbose host
==18821== 
starting...
Received token (size=620): 
60 82 02 68 06 09 2a 86 48 86 f7 12 01 02 02 01 
... snip ...
3c b3 
Received message: "Test Message Goes Here"
NOOP token
==18821== 
==18821== HEAP SUMMARY:
==18821==     in use at exit: 528 bytes in 11 blocks
==18821==   total heap usage: 4,333 allocs, 4,322 frees, 509,322 bytes allocated
==18821== 
==18821== 440 (56 direct, 384 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
==18821==    at 0x4C267BB: calloc (vg_replace_malloc.c:593)
==18821==    by 0x50FB35D: load_localauth_modules (k5-int.h:2797)
==18821==    by 0x50FB5FE: krb5_aname_to_localname (localauth.c:437)
==18821==    by 0x4E506CA: krb5_gss_localname (gssapi_krb5.c:761)
==18821==    by 0x4E4A87A: gss_localname (gssd_pname_to_uid.c:169)
==18821==    by 0x10A59E: sign_server (gss-server.c:894)
==18821==    by 0x10AA3A: main (gss-server.c:640)
==18821== 
==18821== LEAK SUMMARY:
==18821==    definitely lost: 56 bytes in 1 blocks
==18821==    indirectly lost: 384 bytes in 6 blocks
==18821==      possibly lost: 0 bytes in 0 blocks
==18821==    still reachable: 88 bytes in 4 blocks
==18821==         suppressed: 0 bytes in 0 blocks
==18821== Reachable blocks (those to which a pointer was found) are not shown.
==18821== To see them, rerun with: --leak-check=full --show-reachable=yes
==18821== 
==18821== For counts of detected and suppressed errors, rerun with: -v
==18821== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 6)
#

Comment 10 Roland Mainz 2015-03-24 10:49:05 UTC

(In reply to Patrik Kis from comment #9)
> This fix introduced this regression. I'm not sure how serious the issue is,
> so posting the details here. The issue was not present with 1.10.3-33.el6.
> If this is not a real bug, feel free to assign the bug report back to ON_QA.
[snip]

Marking bug as ON_QA per discussion with dpal and pkis... IMHO we should file a new bug to tackle the leak in RHEL6.8 ...

Comment 11 Patrik Kis 2015-03-24 11:06:15 UTC

(In reply to Roland Mainz from comment #10)
> (In reply to Patrik Kis from comment #9)
> > This fix introduced this regression. I'm not sure how serious the issue is,
> > so posting the details here. The issue was not present with 1.10.3-33.el6.
> > If this is not a real bug, feel free to assign the bug report back to ON_QA.
> [snip]
> 
> Marking bug as ON_QA per discussion with dpal and pkis... IMHO we should
> file a new bug to tackle the leak in RHEL6.8 ...

The bug 1205161, to track this issue, was filed.

Comment 13 errata-xmlrpc 2015-07-22 07:36:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1410.html

Note You need to log in before you can comment on or make changes to this bug.