Description of problem: Crash occurred during openQA FreeIPA server deployment test on Fedora-Rawhide-20161027.n.0 nightly: https://openqa.fedoraproject.org/tests/44590 . System logs at https://openqa.fedoraproject.org/tests/44590/file/role_deploy_domain_controller-var_log.tar.gz . Version-Release number of selected component: krb5-server-1.15-1.fc26.beta1.0 Additional info: reporter: libreport-2.8.0 backtrace_rating: 4 cmdline: kdb5_util create -s -r DOMAIN.LOCAL -x ipa-setup-override-restrictions crash_function: ipadb_change_pwd executable: /usr/sbin/kdb5_util global_pid: 7853 kernel: 4.9.0-0.rc2.git1.1.fc26.x86_64 pkg_fingerprint: 812A 6B4B 64DA B85D pkg_vendor: Fedora Project runlevel: N 3 type: CCpp uid: 0 Truncated backtrace: Thread no. 1 (3 frames) #0 ipadb_change_pwd at ipa_kdb_passwords.c:126 #1 add_principal at kdb5_create.c:455 #2 kdb5_create at kdb5_create.c:317
Created attachment 1215156 [details] File: backtrace
Created attachment 1215157 [details] File: cgroup
Created attachment 1215158 [details] File: core_backtrace
Created attachment 1215159 [details] File: dso_list
Created attachment 1215160 [details] File: environ
Created attachment 1215161 [details] File: exploitable
Created attachment 1215162 [details] File: limits
Created attachment 1215163 [details] File: maps
Created attachment 1215164 [details] File: mountinfo
Created attachment 1215165 [details] File: namespaces
Created attachment 1215166 [details] File: open_fds
Created attachment 1215167 [details] File: proc_pid_status
Created attachment 1215168 [details] File: var_log_messages
Proposing as a Fedora 26 Alpha blocker, per Alpha criterion "The core functional requirements for all Featured Server Roles must be met, but it is acceptable if moderate workarounds are necessary to achieve this" - 'domain controller' is one of the Featured roles, and this is part of its 'core functional requirements', obviously.
Notes for handoff: the function krb5 is trying to call into here is the encrypt_key_data handle. A first pass suggests that there's a mismatch in what IPA expects this table to look like.
The problem is the vtable has been changed in krb5 (look at kdb.h). This results in the following: (gdb) p *v $2 = {maj_ver = 6, min_ver = 0, init_library = 0x7ffff5738680 <ipadb_init_library>, fini_library = 0x7ffff5738540 <ipadb_fini_library>, init_module = 0x7ffff5738ef0 <ipadb_init_module>, fini_module = 0x7ffff57386e0 <ipadb_fini_module>, create = 0x7ffff57392f0 <ipadb_create>, destroy = 0x0, get_age = 0x7ffff5738550 <ipadb_get_age>, lock = 0x0, unlock = 0x0, get_principal = 0x7ffff573d4d0 <ipadb_get_principal>, put_principal = 0x7ffff573c4b0 <ipadb_free_principal>, delete_principal = 0x7ffff573d7f0 <ipadb_put_principal>, rename_principal = 0x7ffff573dc10 <ipadb_delete_principal>, iterate = 0x7ffff573de50 <ipadb_iterate>, create_policy = 0x7ffff573e1c0 <ipadb_create_pwd_policy>, get_policy = 0x7ffff573e1d0 <ipadb_get_pwd_policy>, put_policy = 0x7ffff573e4a0 <ipadb_put_pwd_policy>, iter_policy = 0x7ffff573e4b0 <ipadb_iterate_pwd_policy>, delete_policy = 0x7ffff573e4c0 <ipadb_delete_pwd_policy>, fetch_master_key = 0x7ffff573e4d0 <ipadb_free_pwd_policy>, fetch_master_key_list = 0x7ffff5738580 <ipadb_alloc>, store_master_key_list = 0x7ffff5738570 <ipadb_free>, dbe_search_enctype = 0x7ffff573a0b0 <ipadb_fetch_master_key>, change_pwd = 0x7ffff79a6b00 <krb5_dbe_def_cpw>, promote_db = 0x7ffff573a360 <ipadb_store_master_key_list>, decrypt_key_data = 0x7ffff79a5140 <krb5_dbe_def_decrypt_key_data>, encrypt_key_data = 0x7ffff573a570 <ipadb_change_pwd>, sign_authdata = 0x0, check_transited_realms = 0x0, check_policy_as = 0x0, check_policy_tgs = 0x7ffff5740f70 <ipadb_sign_authdata>, audit_as_req = 0x7ffff5742810 <ipadb_check_transited_realms>, refresh_config = 0x7ffff573e500 <ipadb_check_policy_as>, check_allowed_to_delegate = 0x0} (gdb) Suggested fix is for FreeIPA to use designated initializers to avoid shipping this problem in the future.
Ther should be a version number bumped by MIT that will cause the build to fail, did the build fail to fail ? Or was the DAL version not changed (happened before for one of these v. numbers) ?
The commit that introduced the problem was 03d34fcfa329fbc2f686a0b34e2731e37f483a34 which does not seem to have incremented this version. I'll bring it up with upstream.
Actually I take that back. The value of KRB5_KDB_DAL_MAJOR_VERSION was changed from 5 to 6 by another commit (c38838be956ce72fcd7142f14bc374dc13dd8bb2) so freeipa should have picked it up.
This should fix it: https://github.com/freeipa/freeipa/pull/205 We were not failing when DAL MAJOR changed, that is also addressed here.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6466
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2775042787be4ea236c0b99dd75337414e24b89d
Should be fixed in freeipa-4.4.2-3.fc26 http://koji.fedoraproject.org/koji/buildinfo?buildID=821068