Bug 1250154 - [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL
[s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not en...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
7.1
s390x Unspecified
medium Severity medium
: rc
: ---
Assigned To: Robbie Harwood
Patrik Kis
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-04 11:33 EDT by Patrik Kis
Modified: 2015-11-19 00:14 EST (History)
1 user (show)

See Also:
Fixed In Version: krb5-1.13.2-8.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1281725 (view as bug list)
Environment:
Last Closed: 2015-11-19 00:14:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2015-08-04 11:33:41 EDT
Description of problem:
After krb5 rebase there is anew piece of upstream test code that fails on s390x and ppc64 and pass on x86_64 (plan to test on aarch64 and ppc64le too). The fails also without the downstream patches.

The new part of the test that fails is in src/tests/t_pkinit.py:

  # Test anonymous kadmin.                                                                                            
  f = open(os.path.join(realm.testdir, 'acl'), 'a')                                                                   
  f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *')                                                              
  f.close()                                                                                                           
  realm.start_kadmind()                                                                                               
  out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])                                                  
  if 'created.' not in out:                                                                                           
      fail('Could not create principal with anonymous kadmin')                                                        
  out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])                                                           
  if "Operation requires ``get'' privilege" not in out:                                                               
      fail('Anonymous kadmin has too much privilege')                                                                 
  realm.stop_kadmind() 

Version-Release number of selected component (if applicable):
krb5-1.13.2-4.el7

How reproducible:
always

Steps to Reproduce:
# PYTHONPATH=../util VALGRIND="" python ./t_pkinit.py  -v
*** [1] Executing: /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util create -W -s -P master
Loading random data
Initializing database '/usr/local/var/krb5kdc/principal' for realm 'KRBTEST.COM',
master key name 'K/M@KRBTEST.COM'
*** [1] Completed with return code 0
*** [2] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw user11345 user@KRBTEST.COM
WARNING: no policy specified for user@KRBTEST.COM; defaulting to no policy
Authenticating as principal root/admin@KRBTEST.COM with password.
Principal "user@KRBTEST.COM" created.
*** [2] Completed with return code 0
*** [3] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw admin11345 user/admin@KRBTEST.COM
WARNING: no policy specified for user/admin@KRBTEST.COM; defaulting to no policy
Authenticating as principal root/admin@KRBTEST.COM with password.
Principal "user/admin@KRBTEST.COM" created.
*** [3] Completed with return code 0
*** [4] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM
WARNING: no policy specified for host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM; defaulting to no policy
Authenticating as principal root/admin@KRBTEST.COM with password.
Principal "host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM" created.
*** [4] Completed with return code 0
*** [5] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q ktadd -k /root/krb5-1.13.2/src/tests/testdir/keytab -norandkey host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM
Authenticating as principal root/admin@KRBTEST.COM with password.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
*** [5] Completed with return code 0
*** [6] Starting: /root/krb5-1.13.2/src/kdc/krb5kdc -n
krb5kdc: starting...
*** [6] Started with pid 11351
*** [7] Executing: ./responder -r password=user11345 user@KRBTEST.COM
*** [7] Completed with return code 0
*** [8] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit user@KRBTEST.COM
Password for user@KRBTEST.COM: 
*** [8] Completed with return code 0
*** [9] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache
Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache
Default principal: user@KRBTEST.COM

Valid starting     Expires            Service principal
08/04/15 11:28:50  08/05/15 11:28:50  krbtgt/KRBTEST.COM@KRBTEST.COM
*** [9] Completed with return code 0
*** [10] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM
host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM: kvno = 1
*** [10] Completed with return code 0
*** [11] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM
kinit: Client 'WELLKNOWN/ANONYMOUS@KRBTEST.COM' not found in Kerberos database while getting initial credentials
*** [11] Completed with return code 1
*** [12] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey WELLKNOWN/ANONYMOUS
WARNING: no policy specified for WELLKNOWN/ANONYMOUS@KRBTEST.COM; defaulting to no policy
Authenticating as principal user/admin@KRBTEST.COM with password.
Principal "WELLKNOWN/ANONYMOUS@KRBTEST.COM" created.
*** [12] Completed with return code 0
*** [13] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM
*** [13] Completed with return code 0
*** [14] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache
Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting     Expires            Service principal
08/04/15 11:28:50  08/05/15 11:28:50  krbtgt/KRBTEST.COM@KRBTEST.COM
*** [14] Completed with return code 0
*** [15] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM
host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM: kvno = 1
*** [15] Completed with return code 0
*** [16] Starting: /root/krb5-1.13.2/src/kadmin/server/kadmind -nofork -W -p /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util -K /root/krb5-1.13.2/src/slave/kprop -F /root/krb5-1.13.2/src/tests/testdir/dump
kadmind: starting...
*** [16] Started with pid 11361
*** [17] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin -n -q addprinc -pw test testadd
WARNING: no policy specified for testadd@KRBTEST.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "testadd@KRBTEST.COM".
Authenticating as principal WELLKNOWN/ANONYMOUS@KRBTEST.COM with password; anonymous requested.
*** [17] Completed with return code 0
*** Failure: Could not create principal with anonymous kadmin

Use --debug=NUM to run a command under a debugger.  Use
--stop-after=NUM to stop after a daemon is started in order to
attach to it with a debugger.  Use --help to see other options.
Comment 1 Patrik Kis 2015-08-04 11:55:28 EDT
The problem also appears on ppc64le, so it probably has nothing to do with endianity.
Comment 2 Patrik Kis 2015-08-05 11:41:14 EDT
I'm posting a new description if the issue.

Description of problem:
On the following architectures (s390x, ppc64, ppc64le) kadmind does not accept ACL if the line in /var/kerberos/krb5kdc/kadm5.acl is not ending with EOL.

Version-Release number of selected component (if applicable):
krb5-1.13.2-4.el7

How reproducible:
always

Steps to Reproduce:

# uname -p
s390x
# cat /var/kerberos/krb5kdc/kadm5.acl 
alice@EXAMPLE.COM	*
# service kadmin start
Redirecting to /bin/systemctl start  kadmin.service
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
Principal "test@EXAMPLE.COM" created.
# kadmin -p alice -q 'delprinc -force test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
Principal "test@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
#
#
# echo -n 'alice@EXAMPLE.COM     *' >/var/kerberos/krb5kdc/kadm5.acl
# cat /var/kerberos/krb5kdc/kadm5.acl 
alice@EXAMPLE.COM     *#
# service kadmin restart
Redirecting to /bin/systemctl restart  kadmin.service
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM".



The same test on x86_64:

# uname -p
x86_64
# echo -n 'alice@EXAMPLE.COM     *' >/var/kerberos/krb5kdc/kadm5.acl
# cat /var/kerberos/krb5kdc/kadm5.acl 
alice@EXAMPLE.COM     *#
# service kadmin restart
Redirecting to /bin/systemctl restart  kadmin.service
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
Principal "test@EXAMPLE.COM" created.
Comment 3 Roland Mainz 2015-08-06 12:54:20 EDT
Taking and accepting bug...
Comment 4 Roland Mainz 2015-08-06 12:55:38 EDT
pkis:
Just to verify: Are you sure that both big-endian ppc64 and little-endian ppc64 are affected ? If this is "true" then we can rule-out endian-related bugs and have to look at ABI/parser differences...
Comment 5 Patrik Kis 2015-08-07 05:01:34 EDT
(In reply to Roland Mainz from comment #4)
> pkis:
> Just to verify: Are you sure that both big-endian ppc64 and little-endian
> ppc64 are affected ? If this is "true" then we can rule-out endian-related
> bugs and have to look at ABI/parser differences...

Double checked and yes, all RHEL-7.2 architectures are affected except x86_64. Including the new platforms, ppc64le and aarch64 (booth little endian).

# uname -p
x86_64
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
Principal "test@EXAMPLE.COM" created.



# uname -p
s390x
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM".

# uname -p
ppc64
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM".

# uname -p
ppc64le
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM".

# uname -p
aarch64
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice@EXAMPLE.COM: 
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM".
Comment 6 Roland Mainz 2015-08-18 08:50:30 EDT
(In reply to Patrik Kis from comment #5)
> (In reply to Roland Mainz from comment #4)
> > pkis:
> > Just to verify: Are you sure that both big-endian ppc64 and little-endian
> > ppc64 are affected ? If this is "true" then we can rule-out endian-related
> > bugs and have to look at ABI/parser differences...
> 
> Double checked and yes, all RHEL-7.2 architectures are affected except
> x86_64. Including the new platforms, ppc64le and aarch64 (booth little
> endian).

OK... I have good news... and very very bad news:
- good news: I tracked the issue in the parser down to a difference how the compiler handles |char| with |signed| vs. |unsigned| on the affected platforms vs. x86/AMD64 
- bad news: Sun Studio lint(1) reports 38 more of these issues
Comment 7 Roland Mainz 2015-08-20 14:26:35 EDT
Fixed in krb5-1.13.2-8.el7 ...

... marking bug as MODIFIED.
Comment 12 errata-xmlrpc 2015-11-19 00:14:16 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2154.html

Note You need to log in before you can comment on or make changes to this bug.