1250154 – [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1250154 - [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL

Summary: [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not en...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	7.1
Hardware:	s390x
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-04 15:33 UTC by Patrik Kis
Modified:	2015-11-19 05:14 UTC (History)
CC List:	1 user (show)
Fixed In Version:	krb5-1.13.2-8.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1281725 (view as bug list)
Environment:
Last Closed:	2015-11-19 05:14:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2154	0	normal	SHIPPED_LIVE	Moderate: krb5 security, bug fix, and enhancement update	2015-11-19 08:16:22 UTC

Description Patrik Kis 2015-08-04 15:33:41 UTC

Description of problem:
After krb5 rebase there is anew piece of upstream test code that fails on s390x and ppc64 and pass on x86_64 (plan to test on aarch64 and ppc64le too). The fails also without the downstream patches.

The new part of the test that fails is in src/tests/t_pkinit.py:

  # Test anonymous kadmin.                                                                                            
  f = open(os.path.join(realm.testdir, 'acl'), 'a')                                                                   
  f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *')                                                              
  f.close()                                                                                                           
  realm.start_kadmind()                                                                                               
  out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])                                                  
  if 'created.' not in out:                                                                                           
      fail('Could not create principal with anonymous kadmin')                                                        
  out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])                                                           
  if "Operation requires ``get'' privilege" not in out:                                                               
      fail('Anonymous kadmin has too much privilege')                                                                 
  realm.stop_kadmind() 

Version-Release number of selected component (if applicable):
krb5-1.13.2-4.el7

How reproducible:
always

Steps to Reproduce:
# PYTHONPATH=../util VALGRIND="" python ./t_pkinit.py  -v
*** [1] Executing: /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util create -W -s -P master
Loading random data
Initializing database '/usr/local/var/krb5kdc/principal' for realm 'KRBTEST.COM',
master key name 'K/M'
*** [1] Completed with return code 0
*** [2] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw user11345 user
WARNING: no policy specified for user; defaulting to no policy
Authenticating as principal root/admin with password.
Principal "user" created.
*** [2] Completed with return code 0
*** [3] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw admin11345 user/admin
WARNING: no policy specified for user/admin; defaulting to no policy
Authenticating as principal root/admin with password.
Principal "user/admin" created.
*** [3] Completed with return code 0
*** [4] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey host/ibm-z10-46.rhts.eng.bos.redhat.com
WARNING: no policy specified for host/ibm-z10-46.rhts.eng.bos.redhat.com; defaulting to no policy
Authenticating as principal root/admin with password.
Principal "host/ibm-z10-46.rhts.eng.bos.redhat.com" created.
*** [4] Completed with return code 0
*** [5] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q ktadd -k /root/krb5-1.13.2/src/tests/testdir/keytab -norandkey host/ibm-z10-46.rhts.eng.bos.redhat.com
Authenticating as principal root/admin with password.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab.
*** [5] Completed with return code 0
*** [6] Starting: /root/krb5-1.13.2/src/kdc/krb5kdc -n
krb5kdc: starting...
*** [6] Started with pid 11351
*** [7] Executing: ./responder -r password=user11345 user
*** [7] Completed with return code 0
*** [8] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit user
Password for user: 
*** [8] Completed with return code 0
*** [9] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache
Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache
Default principal: user

Valid starting     Expires            Service principal
08/04/15 11:28:50  08/05/15 11:28:50  krbtgt/KRBTEST.COM
*** [9] Completed with return code 0
*** [10] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com
host/ibm-z10-46.rhts.eng.bos.redhat.com: kvno = 1
*** [10] Completed with return code 0
*** [11] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM
kinit: Client 'WELLKNOWN/ANONYMOUS' not found in Kerberos database while getting initial credentials
*** [11] Completed with return code 1
*** [12] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey WELLKNOWN/ANONYMOUS
WARNING: no policy specified for WELLKNOWN/ANONYMOUS; defaulting to no policy
Authenticating as principal user/admin with password.
Principal "WELLKNOWN/ANONYMOUS" created.
*** [12] Completed with return code 0
*** [13] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM
*** [13] Completed with return code 0
*** [14] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache
Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting     Expires            Service principal
08/04/15 11:28:50  08/05/15 11:28:50  krbtgt/KRBTEST.COM
*** [14] Completed with return code 0
*** [15] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com
host/ibm-z10-46.rhts.eng.bos.redhat.com: kvno = 1
*** [15] Completed with return code 0
*** [16] Starting: /root/krb5-1.13.2/src/kadmin/server/kadmind -nofork -W -p /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util -K /root/krb5-1.13.2/src/slave/kprop -F /root/krb5-1.13.2/src/tests/testdir/dump
kadmind: starting...
*** [16] Started with pid 11361
*** [17] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin -n -q addprinc -pw test testadd
WARNING: no policy specified for testadd; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "testadd".
Authenticating as principal WELLKNOWN/ANONYMOUS with password; anonymous requested.
*** [17] Completed with return code 0
*** Failure: Could not create principal with anonymous kadmin

Use --debug=NUM to run a command under a debugger.  Use
--stop-after=NUM to stop after a daemon is started in order to
attach to it with a debugger.  Use --help to see other options.

Comment 1 Patrik Kis 2015-08-04 15:55:28 UTC

The problem also appears on ppc64le, so it probably has nothing to do with endianity.

Comment 2 Patrik Kis 2015-08-05 15:41:14 UTC

I'm posting a new description if the issue.

Description of problem:
On the following architectures (s390x, ppc64, ppc64le) kadmind does not accept ACL if the line in /var/kerberos/krb5kdc/kadm5.acl is not ending with EOL.

Version-Release number of selected component (if applicable):
krb5-1.13.2-4.el7

How reproducible:
always

Steps to Reproduce:

# uname -p
s390x
# cat /var/kerberos/krb5kdc/kadm5.acl 
alice	*
# service kadmin start
Redirecting to /bin/systemctl start  kadmin.service
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
Principal "test" created.
# kadmin -p alice -q 'delprinc -force test'
Authenticating as principal alice with password.
Password for alice: 
Principal "test" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
#
#
# echo -n 'alice     *' >/var/kerberos/krb5kdc/kadm5.acl
# cat /var/kerberos/krb5kdc/kadm5.acl 
alice     *#
# service kadmin restart
Redirecting to /bin/systemctl restart  kadmin.service
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test".



The same test on x86_64:

# uname -p
x86_64
# echo -n 'alice     *' >/var/kerberos/krb5kdc/kadm5.acl
# cat /var/kerberos/krb5kdc/kadm5.acl 
alice     *#
# service kadmin restart
Redirecting to /bin/systemctl restart  kadmin.service
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
Principal "test" created.

Comment 3 Roland Mainz 2015-08-06 16:54:20 UTC

Taking and accepting bug...

Comment 4 Roland Mainz 2015-08-06 16:55:38 UTC

pkis:
Just to verify: Are you sure that both big-endian ppc64 and little-endian ppc64 are affected ? If this is "true" then we can rule-out endian-related bugs and have to look at ABI/parser differences...

Comment 5 Patrik Kis 2015-08-07 09:01:34 UTC

(In reply to Roland Mainz from comment #4)
> pkis:
> Just to verify: Are you sure that both big-endian ppc64 and little-endian
> ppc64 are affected ? If this is "true" then we can rule-out endian-related
> bugs and have to look at ABI/parser differences...

Double checked and yes, all RHEL-7.2 architectures are affected except x86_64. Including the new platforms, ppc64le and aarch64 (booth little endian).

# uname -p
x86_64
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
Principal "test" created.



# uname -p
s390x
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test".

# uname -p
ppc64
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test".

# uname -p
ppc64le
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test".

# uname -p
aarch64
# kadmin -p alice -q 'addprinc -pw test test'
Authenticating as principal alice with password.
Password for alice: 
WARNING: no policy specified for test; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "test".

Comment 6 Roland Mainz 2015-08-18 12:50:30 UTC

(In reply to Patrik Kis from comment #5)
> (In reply to Roland Mainz from comment #4)
> > pkis:
> > Just to verify: Are you sure that both big-endian ppc64 and little-endian
> > ppc64 are affected ? If this is "true" then we can rule-out endian-related
> > bugs and have to look at ABI/parser differences...
> 
> Double checked and yes, all RHEL-7.2 architectures are affected except
> x86_64. Including the new platforms, ppc64le and aarch64 (booth little
> endian).

OK... I have good news... and very very bad news:
- good news: I tracked the issue in the parser down to a difference how the compiler handles |char| with |signed| vs. |unsigned| on the affected platforms vs. x86/AMD64 
- bad news: Sun Studio lint(1) reports 38 more of these issues

Comment 7 Roland Mainz 2015-08-20 18:26:35 UTC

Fixed in krb5-1.13.2-8.el7 ...

... marking bug as MODIFIED.

Comment 12 errata-xmlrpc 2015-11-19 05:14:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2154.html

Note You need to log in before you can comment on or make changes to this bug.