Bug 1170272 - [RFE] Add LocalAuth plugin API
Summary: [RFE] Add LocalAuth plugin API
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Roland Mainz
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks: 1168357 1175494 1197176
TreeView+ depends on / blocked
 
Reported: 2014-12-03 16:27 UTC by Martin Kosek
Modified: 2015-09-08 17:27 UTC (History)
7 users (show)

Fixed In Version: krb5-1.10.3-34.el6
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-22 07:36:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1410 normal SHIPPED_LIVE krb5 bug fix and enhancement update 2015-07-20 18:06:55 UTC

Description Martin Kosek 2014-12-03 16:27:17 UTC
Description of problem:

MIT Kerberos LocalAuth API was commited upstream (https://github.com/krb5/krb5/commit/4216fb5b0e0abb80a3ccd8251abddc18435d81f3) and released in version 1.12. The API should be also made available in RHEL 6 so that SSSD can leverage it for it's plugin (Bug 1168357) allowing seamless authentication of Active Directory users to Linux IdM clients.

Version-Release number of selected component (if applicable):
krb5-server-1.10.3-33.el6.x86_64

Comment 1 Martin Kosek 2014-12-03 16:29:37 UTC
It was decide for this change to come via backport and not via rebase. See details in Bug 1168351.

Comment 3 Jakub Hrozek 2015-02-18 19:44:10 UTC
Roland, any estimate on the backport? We need the API in order to enable the localauth plugin in SSSD.

I guess any time before the 6.7 devel freeze is fine, but the sooner the better..

Comment 6 Roland Mainz 2015-02-26 15:00:57 UTC
Taking myself...

Comment 7 Roland Mainz 2015-02-27 17:50:24 UTC
git commit+push done, builds done:
-- snip --
Counting objects: 24, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 23.43 KiB | 0 bytes/s, done.
Total 4 (delta 2), reused 0 (delta 0)
remote: *** Checking commit 41615ddd3c006b6545e54af96d0c2d01e0a97acc
remote: *** Resolves:
remote: ***   Approved:
remote: ***     rhbz#1170272 (rhel-6.7.0+, pm_ack+)
remote: *** Commit 41615ddd3c006b6545e54af96d0c2d01e0a97acc allowed
To ssh://rmainz@pkgs.devel.redhat.com/rpms/krb5
   f5fabfd..41615dd  rhel-6.7 -> rhel-6.7
[test001@dhcp-80-169 krb5]$ time rhpkg build
warning: bogus date in %changelog: Fri Jun 19 2014 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-24
warning: bogus date in %changelog: Mon Sep 26 1999 Nalin Dahyabhai <nsdahya1@eos.ncsu.edu>
warning: bogus date in %changelog: Mon Jun 22 1999 Nalin Dahyabhai <nsdahya1@eos.ncsu.edu>

Building krb5-1.10.3-34.el6 for rhel-6.7-candidate
Created task: 8791139
Task info: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=8791139
Watching tasks (this may be safely interrupted)...
8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): free
8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): free -> open (x86-029.build.eng.bos.redhat.com)
  8791140 buildSRPMFromSCM (/rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): open (x86-029.build.eng.bos.redhat.com)
  8791140 buildSRPMFromSCM (/rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): open (x86-029.build.eng.bos.redhat.com) -> closed
  0 free  1 open  1 done  0 failed
  8791145 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc): free
  8791146 buildArch (krb5-1.10.3-34.el6.src.rpm, s390): free
  8791149 buildArch (krb5-1.10.3-34.el6.src.rpm, i686): free
  8791148 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc64): free
  8791150 buildArch (krb5-1.10.3-34.el6.src.rpm, s390x): free
  8791147 buildArch (krb5-1.10.3-34.el6.src.rpm, x86_64): free
  8791146 buildArch (krb5-1.10.3-34.el6.src.rpm, s390): free -> open (s390-011.build.bos.redhat.com)
  8791150 buildArch (krb5-1.10.3-34.el6.src.rpm, s390x): free -> open (s390-001.build.bos.redhat.com)
  8791145 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc): free -> open (ppc-002.build.bos.redhat.com)
  8791147 buildArch (krb5-1.10.3-34.el6.src.rpm, x86_64): free -> open (x86-027.build.eng.bos.redhat.com)
  8791148 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc64): free -> open (ppc-003.build.bos.redhat.com)
  8791149 buildArch (krb5-1.10.3-34.el6.src.rpm, i686): free -> open (x86-026.build.eng.bos.redhat.com)
  8791146 buildArch (krb5-1.10.3-34.el6.src.rpm, s390): open (s390-011.build.bos.redhat.com) -> closed
  0 free  6 open  2 done  0 failed
  8791150 buildArch (krb5-1.10.3-34.el6.src.rpm, s390x): open (s390-001.build.bos.redhat.com) -> closed
  0 free  5 open  3 done  0 failed
  8791147 buildArch (krb5-1.10.3-34.el6.src.rpm, x86_64): open (x86-027.build.eng.bos.redhat.com) -> closed
  0 free  4 open  4 done  0 failed
  8791149 buildArch (krb5-1.10.3-34.el6.src.rpm, i686): open (x86-026.build.eng.bos.redhat.com) -> closed
  0 free  3 open  5 done  0 failed
  8791145 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc): open (ppc-002.build.bos.redhat.com) -> closed
  0 free  2 open  6 done  0 failed
  8791148 buildArch (krb5-1.10.3-34.el6.src.rpm, ppc64): open (ppc-003.build.bos.redhat.com) -> closed
  0 free  1 open  7 done  0 failed
  8791188 tagBuild (noarch): open (x86-022.build.eng.bos.redhat.com)
  8791188 tagBuild (noarch): open (x86-022.build.eng.bos.redhat.com) -> closed
  0 free  1 open  8 done  0 failed
8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc): open (x86-029.build.eng.bos.redhat.com) -> closed
  0 free  0 open  9 done  0 failed

8791139 build (rhel-6.7-candidate, /rpms/krb5:41615ddd3c006b6545e54af96d0c2d01e0a97acc) completed successfully
-- snip --

Comment 9 Patrik Kis 2015-03-11 16:01:47 UTC
This fix introduced this regression. I'm not sure how serious the issue is, so posting the details here. The issue was not present with 1.10.3-33.el6.
If this is not a real bug, feel free to assign the bug report back to ON_QA.

[root@rhel60 ~]# rpm -q krb5-libs
krb5-libs-1.10.3-34.el6.x86_64
# kinit alice
Password for alice@EXAMPLE.COM: 
#
# cat > gss.supp
{
krb5_matchpathcon
Memcheck:Leak
...
fun:matchpathcon
...
}
#
# valgrind --suppressions=gss.supp --leak-check=yes gss-server -once -verbose host
==18821== Memcheck, a memory error detector
==18821== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==18821== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==18821== Command: gss-server -once -verbose host
==18821== 
starting...
Received token (size=620): 
60 82 02 68 06 09 2a 86 48 86 f7 12 01 02 02 01 
... snip ...
3c b3 
Received message: "Test Message Goes Here"
NOOP token
==18821== 
==18821== HEAP SUMMARY:
==18821==     in use at exit: 528 bytes in 11 blocks
==18821==   total heap usage: 4,333 allocs, 4,322 frees, 509,322 bytes allocated
==18821== 
==18821== 440 (56 direct, 384 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
==18821==    at 0x4C267BB: calloc (vg_replace_malloc.c:593)
==18821==    by 0x50FB35D: load_localauth_modules (k5-int.h:2797)
==18821==    by 0x50FB5FE: krb5_aname_to_localname (localauth.c:437)
==18821==    by 0x4E506CA: krb5_gss_localname (gssapi_krb5.c:761)
==18821==    by 0x4E4A87A: gss_localname (gssd_pname_to_uid.c:169)
==18821==    by 0x10A59E: sign_server (gss-server.c:894)
==18821==    by 0x10AA3A: main (gss-server.c:640)
==18821== 
==18821== LEAK SUMMARY:
==18821==    definitely lost: 56 bytes in 1 blocks
==18821==    indirectly lost: 384 bytes in 6 blocks
==18821==      possibly lost: 0 bytes in 0 blocks
==18821==    still reachable: 88 bytes in 4 blocks
==18821==         suppressed: 0 bytes in 0 blocks
==18821== Reachable blocks (those to which a pointer was found) are not shown.
==18821== To see them, rerun with: --leak-check=full --show-reachable=yes
==18821== 
==18821== For counts of detected and suppressed errors, rerun with: -v
==18821== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 6)
#

Comment 10 Roland Mainz 2015-03-24 10:49:05 UTC
(In reply to Patrik Kis from comment #9)
> This fix introduced this regression. I'm not sure how serious the issue is,
> so posting the details here. The issue was not present with 1.10.3-33.el6.
> If this is not a real bug, feel free to assign the bug report back to ON_QA.
[snip]

Marking bug as ON_QA per discussion with dpal and pkis... IMHO we should file a new bug to tackle the leak in RHEL6.8 ...

Comment 11 Patrik Kis 2015-03-24 11:06:15 UTC
(In reply to Roland Mainz from comment #10)
> (In reply to Patrik Kis from comment #9)
> > This fix introduced this regression. I'm not sure how serious the issue is,
> > so posting the details here. The issue was not present with 1.10.3-33.el6.
> > If this is not a real bug, feel free to assign the bug report back to ON_QA.
> [snip]
> 
> Marking bug as ON_QA per discussion with dpal and pkis... IMHO we should
> file a new bug to tackle the leak in RHEL6.8 ...

The bug 1205161, to track this issue, was filed.

Comment 13 errata-xmlrpc 2015-07-22 07:36:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1410.html


Note You need to log in before you can comment on or make changes to this bug.