Red Hat Bugzilla – Bug 1250154
[s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL
Last modified: 2015-11-19 00:14:16 EST
Description of problem: After krb5 rebase there is anew piece of upstream test code that fails on s390x and ppc64 and pass on x86_64 (plan to test on aarch64 and ppc64le too). The fails also without the downstream patches. The new part of the test that fails is in src/tests/t_pkinit.py: # Test anonymous kadmin. f = open(os.path.join(realm.testdir, 'acl'), 'a') f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') f.close() realm.start_kadmind() out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) if 'created.' not in out: fail('Could not create principal with anonymous kadmin') out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) if "Operation requires ``get'' privilege" not in out: fail('Anonymous kadmin has too much privilege') realm.stop_kadmind() Version-Release number of selected component (if applicable): krb5-1.13.2-4.el7 How reproducible: always Steps to Reproduce: # PYTHONPATH=../util VALGRIND="" python ./t_pkinit.py -v *** [1] Executing: /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util create -W -s -P master Loading random data Initializing database '/usr/local/var/krb5kdc/principal' for realm 'KRBTEST.COM', master key name 'K/M@KRBTEST.COM' *** [1] Completed with return code 0 *** [2] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw user11345 user@KRBTEST.COM WARNING: no policy specified for user@KRBTEST.COM; defaulting to no policy Authenticating as principal root/admin@KRBTEST.COM with password. Principal "user@KRBTEST.COM" created. *** [2] Completed with return code 0 *** [3] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -pw admin11345 user/admin@KRBTEST.COM WARNING: no policy specified for user/admin@KRBTEST.COM; defaulting to no policy Authenticating as principal root/admin@KRBTEST.COM with password. Principal "user/admin@KRBTEST.COM" created. *** [3] Completed with return code 0 *** [4] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM WARNING: no policy specified for host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM; defaulting to no policy Authenticating as principal root/admin@KRBTEST.COM with password. Principal "host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM" created. *** [4] Completed with return code 0 *** [5] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q ktadd -k /root/krb5-1.13.2/src/tests/testdir/keytab -norandkey host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM Authenticating as principal root/admin@KRBTEST.COM with password. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. Entry for principal host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/krb5-1.13.2/src/tests/testdir/keytab. *** [5] Completed with return code 0 *** [6] Starting: /root/krb5-1.13.2/src/kdc/krb5kdc -n krb5kdc: starting... *** [6] Started with pid 11351 *** [7] Executing: ./responder -r password=user11345 user@KRBTEST.COM *** [7] Completed with return code 0 *** [8] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit user@KRBTEST.COM Password for user@KRBTEST.COM: *** [8] Completed with return code 0 *** [9] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache Default principal: user@KRBTEST.COM Valid starting Expires Service principal 08/04/15 11:28:50 08/05/15 11:28:50 krbtgt/KRBTEST.COM@KRBTEST.COM *** [9] Completed with return code 0 *** [10] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM: kvno = 1 *** [10] Completed with return code 0 *** [11] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM kinit: Client 'WELLKNOWN/ANONYMOUS@KRBTEST.COM' not found in Kerberos database while getting initial credentials *** [11] Completed with return code 1 *** [12] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin.local -q addprinc -randkey WELLKNOWN/ANONYMOUS WARNING: no policy specified for WELLKNOWN/ANONYMOUS@KRBTEST.COM; defaulting to no policy Authenticating as principal user/admin@KRBTEST.COM with password. Principal "WELLKNOWN/ANONYMOUS@KRBTEST.COM" created. *** [12] Completed with return code 0 *** [13] Executing: /root/krb5-1.13.2/src/clients/kinit/kinit -n @KRBTEST.COM *** [13] Completed with return code 0 *** [14] Executing: /root/krb5-1.13.2/src/clients/klist/klist /root/krb5-1.13.2/src/tests/testdir/ccache Ticket cache: FILE:/root/krb5-1.13.2/src/tests/testdir/ccache Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 08/04/15 11:28:50 08/05/15 11:28:50 krbtgt/KRBTEST.COM@KRBTEST.COM *** [14] Completed with return code 0 *** [15] Executing: /root/krb5-1.13.2/src/clients/kvno/kvno host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM host/ibm-z10-46.rhts.eng.bos.redhat.com@KRBTEST.COM: kvno = 1 *** [15] Completed with return code 0 *** [16] Starting: /root/krb5-1.13.2/src/kadmin/server/kadmind -nofork -W -p /root/krb5-1.13.2/src/kadmin/dbutil/kdb5_util -K /root/krb5-1.13.2/src/slave/kprop -F /root/krb5-1.13.2/src/tests/testdir/dump kadmind: starting... *** [16] Started with pid 11361 *** [17] Executing: /root/krb5-1.13.2/src/kadmin/cli/kadmin -n -q addprinc -pw test testadd WARNING: no policy specified for testadd@KRBTEST.COM; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "testadd@KRBTEST.COM". Authenticating as principal WELLKNOWN/ANONYMOUS@KRBTEST.COM with password; anonymous requested. *** [17] Completed with return code 0 *** Failure: Could not create principal with anonymous kadmin Use --debug=NUM to run a command under a debugger. Use --stop-after=NUM to stop after a daemon is started in order to attach to it with a debugger. Use --help to see other options.
The problem also appears on ppc64le, so it probably has nothing to do with endianity.
I'm posting a new description if the issue. Description of problem: On the following architectures (s390x, ppc64, ppc64le) kadmind does not accept ACL if the line in /var/kerberos/krb5kdc/kadm5.acl is not ending with EOL. Version-Release number of selected component (if applicable): krb5-1.13.2-4.el7 How reproducible: always Steps to Reproduce: # uname -p s390x # cat /var/kerberos/krb5kdc/kadm5.acl alice@EXAMPLE.COM * # service kadmin start Redirecting to /bin/systemctl start kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy Principal "test@EXAMPLE.COM" created. # kadmin -p alice -q 'delprinc -force test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: Principal "test@EXAMPLE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. # # # echo -n 'alice@EXAMPLE.COM *' >/var/kerberos/krb5kdc/kadm5.acl # cat /var/kerberos/krb5kdc/kadm5.acl alice@EXAMPLE.COM *# # service kadmin restart Redirecting to /bin/systemctl restart kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM". The same test on x86_64: # uname -p x86_64 # echo -n 'alice@EXAMPLE.COM *' >/var/kerberos/krb5kdc/kadm5.acl # cat /var/kerberos/krb5kdc/kadm5.acl alice@EXAMPLE.COM *# # service kadmin restart Redirecting to /bin/systemctl restart kadmin.service # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy Principal "test@EXAMPLE.COM" created.
Taking and accepting bug...
pkis: Just to verify: Are you sure that both big-endian ppc64 and little-endian ppc64 are affected ? If this is "true" then we can rule-out endian-related bugs and have to look at ABI/parser differences...
(In reply to Roland Mainz from comment #4) > pkis: > Just to verify: Are you sure that both big-endian ppc64 and little-endian > ppc64 are affected ? If this is "true" then we can rule-out endian-related > bugs and have to look at ABI/parser differences... Double checked and yes, all RHEL-7.2 architectures are affected except x86_64. Including the new platforms, ppc64le and aarch64 (booth little endian). # uname -p x86_64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy Principal "test@EXAMPLE.COM" created. # uname -p s390x # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM". # uname -p ppc64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM". # uname -p ppc64le # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM". # uname -p aarch64 # kadmin -p alice -q 'addprinc -pw test test' Authenticating as principal alice with password. Password for alice@EXAMPLE.COM: WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy add_principal: Operation requires ``add'' privilege while creating "test@EXAMPLE.COM".
(In reply to Patrik Kis from comment #5) > (In reply to Roland Mainz from comment #4) > > pkis: > > Just to verify: Are you sure that both big-endian ppc64 and little-endian > > ppc64 are affected ? If this is "true" then we can rule-out endian-related > > bugs and have to look at ABI/parser differences... > > Double checked and yes, all RHEL-7.2 architectures are affected except > x86_64. Including the new platforms, ppc64le and aarch64 (booth little > endian). OK... I have good news... and very very bad news: - good news: I tracked the issue in the parser down to a difference how the compiler handles |char| with |signed| vs. |unsigned| on the affected platforms vs. x86/AMD64 - bad news: Sun Studio lint(1) reports 38 more of these issues
Fixed in krb5-1.13.2-8.el7 ... ... marking bug as MODIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html