Bug 1356099 - Bug in the ipapwd plugin
Summary: Bug in the ipapwd plugin
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-13 12:04 UTC by Petr Vobornik
Modified: 2019-12-16 06:06 UTC (History)
7 users (show)

Fixed In Version: ipa-4.4.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:57:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
This patch to allocated empty kset (1.34 KB, patch)
2016-07-13 14:43 UTC, thierry bordaz
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-07-13 12:04:27 UTC
This bug is created as a clone of upstream ticket:


The Directory Services crashes several times a day. It's installed on CentOS 7 VM :

Installed Packages
Name        : ipa-server
Arch        : x86_64
Version     : 4.2.0

# ipactl status

Directory Service: STOPPED

krb5kdc Service: RUNNING

kadmin Service: RUNNING

ipa_memcached Service: RUNNING

httpd Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa: INFO: The ipactl command was successful

Before each crash, I have these messages in /var/log/dirsrv/slapd-XXXXX/errors :

    [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument]
    [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed

There is a bug in ipapwd plugin which causes Directory Service crash when some users try to bind.

Please take a look to attached core file.

Best regards

Comment 1 thierry bordaz 2016-07-13 14:43:42 UTC
Created attachment 1179310 [details]
This patch to allocated empty kset

Comment 2 Martin Bašti 2016-07-19 11:19:20 UTC
Fixed upstream

Comment 3 Kaleem 2016-07-21 08:35:35 UTC
Please provide the steps to verify this.

Comment 6 Sudhir Menon 2016-09-21 09:23:52 UTC
Marking the bug verified as there is no such crash seen when user tries to bind.

Tested on RHEL73 using

[root@master ~]# ldapsearch -x -h master.test-relm.test -b dc=test-relm,dc=test uid=userx -W
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <dc=test-relm,dc=test> with scope subtree
# filter: uid=userx
# requesting: ALL

# userx, users, compat, test-relm.test
dn: uid=userx,cn=users,cn=compat,dc=test-relm,dc=test
cn: Fx Lx
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 539000001
ipaAnchorUUID:: OklQQTp0ZXN0LXJlbG0udGVzdDoxZjdkNDIwMi03YzA2LTExZTYtYTJhMC01Mj
gecos: Fx Lx
uidNumber: 539000001
loginShell: /bin/sh
homeDirectory: /home/userx
uid: userx

# userx, users, accounts, test-relm.test
dn: uid=userx,cn=users,cn=accounts,dc=test-relm,dc=test
displayName: Fx Lx
uid: userx
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: FL
gecos: Fx Lx
sn: Lx
homeDirectory: /home/userx
givenName: Fx
cn: Fx Lx
uidNumber: 539000001
gidNumber: 539000001

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Comment 8 errata-xmlrpc 2016-11-04 05:57:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.