Bug 1356099 - Bug in the ipapwd plugin
Summary: Bug in the ipapwd plugin
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-13 12:04 UTC by Petr Vobornik
Modified: 2016-11-04 05:57 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:57:53 UTC


Attachments (Terms of Use)
This patch to allocated empty kset (1.34 KB, patch)
2016-07-13 14:43 UTC, thierry bordaz
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-07-13 12:04:27 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6030

Hi,

The Directory Services crashes several times a day. It's installed on CentOS 7 VM :

Installed Packages
Name        : ipa-server
Arch        : x86_64
Version     : 4.2.0

# ipactl status

Directory Service: STOPPED

krb5kdc Service: RUNNING

kadmin Service: RUNNING

ipa_memcached Service: RUNNING

httpd Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in /var/log/dirsrv/slapd-XXXXX/errors :

    [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument]
    
    [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed


There is a bug in ipapwd plugin which causes Directory Service crash when some users try to bind.

Please take a look to attached core file.

Best regards

Comment 1 thierry bordaz 2016-07-13 14:43 UTC
Created attachment 1179310 [details]
This patch to allocated empty kset

Comment 2 Martin Bašti 2016-07-19 11:19:20 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b04f617803c430b13f8796e911f78bd65f6cf55f

Comment 3 Kaleem 2016-07-21 08:35:35 UTC
Please provide the steps to verify this.

Comment 6 Sudhir Menon 2016-09-21 09:23:52 UTC
Marking the bug verified as there is no such crash seen when user tries to bind.

Tested on RHEL73 using
ipa-server-4.4.0-12.el7.x86_64
389-ds-base-1.3.5.10-11.el7.x86_64

[root@master ~]# ldapsearch -x -h master.test-relm.test -b dc=test-relm,dc=test uid=userx -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=test-relm,dc=test> with scope subtree
# filter: uid=userx
# requesting: ALL
#

# userx, users, compat, test-relm.test
dn: uid=userx,cn=users,cn=compat,dc=test-relm,dc=test
cn: Fx Lx
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 539000001
ipaAnchorUUID:: OklQQTp0ZXN0LXJlbG0udGVzdDoxZjdkNDIwMi03YzA2LTExZTYtYTJhMC01Mj
 U0MDBlNzE1YjE=
gecos: Fx Lx
uidNumber: 539000001
loginShell: /bin/sh
homeDirectory: /home/userx
uid: userx

# userx, users, accounts, test-relm.test
dn: uid=userx,cn=users,cn=accounts,dc=test-relm,dc=test
displayName: Fx Lx
uid: userx
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: FL
gecos: Fx Lx
sn: Lx
homeDirectory: /home/userx
givenName: Fx
cn: Fx Lx
uidNumber: 539000001
gidNumber: 539000001

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Comment 8 errata-xmlrpc 2016-11-04 05:57:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.