Bug 1251586 - KDC sends multiple requests to ipa-otpd for the same authentication
KDC sends multiple requests to ipa-otpd for the same authentication
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
7.1
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Robbie Harwood
Namita Soman
: ZStream
Depends On:
Blocks: 1256870
  Show dependency treegraph
 
Reported: 2015-08-07 15:57 EDT by Nathaniel McCallum
Modified: 2015-11-19 00:14 EST (History)
7 users (show)

See Also:
Fixed In Version: krb5-1.13.2-5.el7
Doc Type: Bug Fix
Doc Text:
Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation.
Story Points: ---
Clone Of:
: 1256870 (view as bug list)
Environment:
Last Closed: 2015-11-19 00:14:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nathaniel McCallum 2015-08-07 15:57:39 EDT
The patch at the following link fixes the issue and has been submitted upstream.

https://github.com/krb5/krb5/pull/308
Comment 2 Namita Soman 2015-08-07 16:20:34 EDT
Pls add steps to verify
Comment 3 Nathaniel McCallum 2015-08-07 16:34:15 EDT
1. Clean install of IPA.
2. Log in as admin: kinit admin
3. Add a radius server record (ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo).
4. DO NOT set up an actual radius server. We want the requests to time out.
5. Add a user: ipa user-add foo.
6. Set the user's password: ipa passwd foo
7. Configure user for radius: ipa user-mod foo --radius=foo --user-auth-type=radius
8. In another window, run: journalctl --follow
9. Authenticate as user foo.

In the journalctl window, you should see only one request processed by ipa-otpd rather than four.
Comment 4 Roland Mainz 2015-08-07 16:49:45 EDT
Taking bug myself and switching to "assigned" ...
Comment 5 Roland Mainz 2015-08-07 16:54:29 EDT
(In reply to Nathaniel McCallum from comment #0)
> The patch at the following link fixes the issue and has been submitted
> upstream.
> 
> https://github.com/krb5/krb5/pull/308

Sigh...
... npmccallum: Do you know any other places in krb5 territory which do a similar kind of retry for UDP which should not be used for reliable transports like TCP ?
Comment 6 Roland Mainz 2015-08-07 16:55:16 EDT
(In reply to Nathaniel McCallum from comment #0)
> The patch at the following link fixes the issue and has been submitted
> upstream.
> 
> https://github.com/krb5/krb5/pull/308

Patch OK, r=rmainz@redhat.com for https://github.com/krb5/krb5/commit/25e0656fdf9862faf9aa91288023776e9a47caad
Comment 7 Nathaniel McCallum 2015-08-07 17:28:38 EDT
No. This arose precisely because of the radius code as part of the OTP project.
Comment 8 Roland Mainz 2015-08-08 17:53:04 EDT
Patch checked-in (krb5-1.13.2-5.el7) ...

... marking bug as MODIFIED.
Comment 17 Xiyang Dong 2015-09-04 15:14:08 EDT
Verified based on Comment 3:
[root@ibm-x3650m4-01-vm-03 ~]# rpm -q krb5-server ipa-server
krb5-server-1.12.2-15.el7_1.x86_64
ipa-server-4.1.0-18.el7_1.4.x86_64

[root@ibm-x3650m4-01-vm-03 ~]# ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo
Secret:
Enter Secret again to verify:
-------------------------------
Added RADIUS proxy server "foo"
-------------------------------
  RADIUS proxy server name: foo
  Server: localhost.localdomain
  Secret: MQ==
  Retries: 0
[root@ibm-x3650m4-01-vm-03 ~]# ipa user-add foo
First name: foo
Last name: foo
----------------
Added user "foo"
----------------
  User login: foo
  First name: foo
  Last name: foo
  Full name: foo foo
  Display name: foo foo
  Initials: ff
  Home directory: /home/foo
  GECOS: foo foo
  Login shell: /bin/sh
  Kerberos principal: foo@TESTRELM.TEST
  Email address: foo@testrelm.test
  UID: 1143400001
  GID: 1143400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ibm-x3650m4-01-vm-03 ~]# ipa passwd foo
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "foo@TESTRELM.TEST"
----------------------------------------
[root@ibm-x3650m4-01-vm-03 ~]# ipa user-mod foo --radius=foo --user-auth-type=radius
-------------------
Modified user "foo"
-------------------
  User login: foo
  First name: foo
  Last name: foo
  Home directory: /home/foo
  Login shell: /bin/sh
  Email address: foo@testrelm.test
  UID: 1143400001
  GID: 1143400001
  Account disabled: False
  User authentication types: radius
  RADIUS proxy configuration: foo
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@ibm-x3650m4-01-vm-03 ~]# journalctl --follow
.
.
.
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_unix(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=...ser=foo
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: request received
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: user query start
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: user query end: uid=foo,cn=users,cn=accounts,dc=testrelm,dc=test
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: radius query start: cn=foo,cn=radiusproxy,dc=testrelm,dc=test
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: radius query end: localhost.localdomain
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: forward start: foo / localhost.localdomain
Sep 04 15:11:37 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393897.402594] [devices/nm-device.c:2303] activation_source...eduled
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=p...ser=foo
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): received for user foo: 17 (Failure setting user credentials)
Sep 04 15:11:43 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: FAILED SU (to foo) root on pts/0
Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: forward end: Connection timed out
Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: response sent: Access-Reject
Sep 04 15:12:03 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393923.451953] [devices/nm-device.c:2303] activation_source...eduled
Comment 20 errata-xmlrpc 2015-11-19 00:14:19 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2154.html

Note You need to log in before you can comment on or make changes to this bug.