1505925 – kdc segfault in openldap libs when ipa-server is installed and custom pkinit is configured

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1505925 - kdc segfault in openldap libs when ipa-server is installed and custom pkinit is configured

Summary: kdc segfault in openldap libs when ipa-server is installed and custom pkinit ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-24 14:56 UTC by Patrik Kis
Modified:	2018-10-30 10:58 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ipa-4.6.4-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:57:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3187	0	None	None	None	2018-10-30 10:58:17 UTC

Description Patrik Kis 2017-10-24 14:56:34 UTC

Description of problem:
kdc segfault was observed when the certauth plugin points to ipadb.so.
It starts on RHEL-7.3 when ipa-server-4.5.0-20.el7 (from RHEL-7.4) is installed. Backtrace goes down from krb5 through ipa to openldap. Not sure is the issue is in openldap triggered by the ipa krb5 plugin or in the ipa plugin itself. As it is triggered by the ipa-server plugin filing it for ipa now, but feel free to move it to the right component.

Also tested on the latest builds, the issue is still there.

#0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
#1  0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0)
    at memory.c:637
#2  0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, 
    brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188
#3  0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, 
    url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3)
    at url.c:1293
#4  0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, 
    url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324
#5  0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1)
    at options.c:584
#6  0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>)
    at open.c:245
#7  0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399
#8  0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164
#9  ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, 
    basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, 
    filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", 
    attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176
#10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0)
    at ipa_kdb_certauth.c:160
#11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, 
    cert=0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, 
    opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280
#12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, 
    cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, 
    context=0x55f6dc452ef0) at pkinit_srv.c:367
#13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, 
    enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, 
    moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507
#14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209
#15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, 
    from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, 
    respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819
#16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, 
    pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, 
    respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190
#17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409
#18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947
#19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340)
    at event.c:1350
#20 event_process_active (base=<optimized out>) at event.c:1420
#21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621
#22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065


Version-Release number of selected component (if applicable):
openldap-2.4.44-5.el7
krb5-server-1.15.1-8.el7
ipa-server-4.5.0-20.el7

How reproducible:
always

Steps to Reproduce:
1. Install ipa-server package and make sure certauth plugin points to ipadb.so
# cat /etc/krb5.conf.d/ipa-certauth 
[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }


2. Do not setup ipa server, just create certs and set up KDC with pkinit
# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 EXAMPLE.COM = {
  pkinit_anchors = FILE:/etc/krb5/cacert.pem
  pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

# cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
 pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 EXAMPLE.COM = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }


3. Configure a principal with preath required and do kinit

Actual results:
kdc segfault

Expected results:
no segfault

Additional info:

#0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
#1  0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0)
    at memory.c:637
#2  0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, 
    brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188
#3  0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, 
    url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3)
    at url.c:1293
#4  0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, 
    url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324
#5  0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1)
    at options.c:584
#6  0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>)
    at open.c:245
#7  0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399
#8  0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164
#9  ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, 
    basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, 
    filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", 
    attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176
#10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0)
    at ipa_kdb_certauth.c:160
#11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, 
    cert=0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, 
    opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280
#12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, 
    cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, 
    context=0x55f6dc452ef0) at pkinit_srv.c:367
#13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, 
    enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, 
    moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507
#14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209
#15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, 
    from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, 
    respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819
#16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, 
    pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, 
    respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190
#17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409
#18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947
#19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340)
    at event.c:1350
#20 event_process_active (base=<optimized out>) at event.c:1420
#21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621
#22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065
(gdb) bt f
#0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
No locals.
#1  0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0)
    at memory.c:637
        p = <optimized out>
        len = <optimized out>
#2  0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, 
    brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188
        res = <optimized out>
        str = <optimized out>
        s = <optimized out>
        lasts = 0x7ffe7082824f ""
        i = <optimized out>
#3  0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, 
    url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3)
    at url.c:1293
        i = <optimized out>
        rc = <optimized out>
        ludp = 0x28
        urls = <optimized out>
        __PRETTY_FUNCTION__ = "ldap_url_parselist_int"
#4  0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, 
    url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324
No locals.
#5  0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1)
    at options.c:584
        urls = 0x1 <Address 0x1 out of bounds>
        ludlist = 0x0
        lo = 0x55f6dc4479e0
        dbglvl = 0x0
        rc = 0
        __PRETTY_FUNCTION__ = "ldap_set_option"
#6  0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>)
    at open.c:245
        rc = <optimized out>
        ld = 0x55f6dc442b30
#7  0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399
        tv = {tv_sec = 5, tv_usec = 0}
        res = 0x0
        first = <optimized out>
        ret = <optimized out>
        v3 = 22006
#8  0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164
No locals.
#9  ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, 
    basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, 
    filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", 
    attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176
        ret = <optimized out>
#10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0)
    at ipa_kdb_certauth.c:160
        ret = <optimized out>
        prio = 32766
        ipactx = 0x55f6dc452470
        result = 0x0
        le = <optimized out>
        ctx = 0x0
        kerr = <optimized out>
        c = <optimized out>
        match_rule = 0x0
        domains = 0x0
        certmap_attrs = {0x7fefc3e2a6f8 "objectClass", 0x7fefc3e2b990 "ipaCertMapPriority", 
          0x7fefc3e2b9a3 "ipaCertMapMatchRule", 0x7fefc3e2b9b7 "ipaCertMapMapRule", 
---Type <return> to continue, or q <return> to quit---
          0x7fefc3e2b9c9 "associatedDomain", 0x7fefc3e2b9da "ipaEnabledFlag", 0x0}
        basedn = 0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal"
        lc = <optimized out>
        map_rule = 0x0
#11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, 
    cert=0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, 
    opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280
        cert_filter = 0x0
        domains = 0x0
        ret = <optimized out>
        c = <optimized out>
        principal = 0x0
        auth_inds = 0x0
        res = 0x0
        kerr = <optimized out>
        lentry = 0x0
#12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, 
    cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, 
    context=0x55f6dc452ef0) at pkinit_srv.c:367
        opts = {cb = 0x55f6da9d9020 <callbacks>, rock = 0x55f6dc4550c0, plgctx = 0x55f6dc425d30, 
          reqctx = 0x55f6dc43cab0}
        cert = 0x55f6dc4482c0 "0\202\003r0\202\002۠\003\002\001\002\002\t"
        ais = 0x0
        ret = <optimized out>
        h = 0x55f6dc439f30
        db_ent = 0x0
        ai = <optimized out>
        accepted = 0
        i = <optimized out>
        cert_len = 886
#13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, 
    enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, 
    moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507
        retval = 0
        authp_data = {magic = 0, length = 943, 
          data = 0x55f6dc443450 "0\202\003\253\240<0:\240\005\002\003\001\036s\241\021\030\017\062\060\061\067\061\060\062\064\061\064\063\062\065\063Z\242\006\002\004\031\336My\243\026\004\024\001\362T\020\274eo\036H\202x\355\071\215)\035\314\307\346ݡ\202\003+0\202\003'0\202\002\031\006\a*\206H\316>\002\001\060\202\002\f\002\202\001\001"}
        krb5_authz = {magic = 0, length = 504, 
          data = 0x55f6dc4480c0 "0\202\001\364\060\202\001\004\200o0m1\v0\t\006\003U\004\006\023\002CZ1\020\060\016\006\003U\004\b\f\aMoravia1\r0\v\006\003U\004\a\f\004Brno1\031\060\027\006\003U\004\n\f\020DummyCompany Ltd1\022\060\020\006\003U\004\v\f\tdummyunit1\016\060\f\006\003U\004\003\f\005alice\201y0w0j1\v0\t\006\003U\004\006\023\002CZ1\020\060\016\006\003U\004\b\f\aMoravia1\r0\v\006\003U\004\a\f\004Brno1\031\060\027\006\003U\004\n\f\020DummyCompany Ltd"...}
        reqp = 0x55f6dc43eac0
        reqp9 = 0x0
        auth_pack = 0x0
        auth_pack9 = 0x0
        plgctx = 0x55f6dc425d30
        reqctx = 0x55f6dc43cab0
        cksum = {magic = 0, checksum_type = 0, length = 0, contents = 0x0}
        der_req = 0x0
        k5data = {magic = 32, length = 2495, 
          data = 0x55f6dc4543d0 "0\202\t\273\200\202\b\305\060\202\b\301\006\t*\206H\206\367\r\001\a\002\240\202\b\262\060\202\b\256\002\001\003\061\v0\t\006\005+\016\003\002\032\005"}
        is_signed = 1
        e_data = 0x0
        modreq = 0x0
        sp = <optimized out>
#14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209
        __PRETTY_FUNCTION__ = "next_padata"
#15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, 
    from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, 
---Type <return> to continue, or q <return> to quit---
    respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819
        errcode = <optimized out>
        s_flags = <optimized out>
        encoded_req_body = {magic = 4, length = 151, data = 0x55f6dc455ccc "0\201\224\240\a\003\005"}
        useenctype = <optimized out>
        au_state = 0x55f6dc43c6d0
#16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, 
    pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, 
    respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190
        retval = <optimized out>
        as_req = 0x55f6dc4542c0
        response = 0x0
        kdc_err_context = 0x55f6dc402200
#17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409
        local_saddrlen = 16
        local_saddrp = <optimized out>
        state = 0x55f6dc43b170
        conn = <optimized out>
        nread = <optimized out>
        len = 2719
#18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947
        priv = <optimized out>
        __PRETTY_FUNCTION__ = "verto_fire"
#19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340)
    at event.c:1350
        ev = 0x55f6dc453730
        count = 1
#20 event_process_active (base=<optimized out>) at event.c:1420
        activeq = 0x55f6dc425770
        i = 1
        c = 0
#21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621
        evsel = 0x7fefc4f1bbe0 <epollops>
        tv = {tv_sec = 94518715951064, tv_usec = 94515050315781}
        tv_p = <optimized out>
        res = <optimized out>
        done = 0
        retval = 0
        __func__ = "event_base_loop"
#22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065
        retval = <optimized out>
        kcontext = 0x55f6dc402200
        realm = <optimized out>
        ctx = 0x55f6dc415a20
        tcp_listen_backlog = 5
        i = <optimized out>

Comment 2 Matus Honek 2017-10-24 16:01:00 UTC

ldap_initialize is called with url=0x1 which is a wrong address. In ipadb_get_connection, ipactx contains quite some garbage, including ipactx->uri later passed as url to the ldap_initialize. The ipadb_get_connection was actually called with garbled ipactx. So it is also with ipadb_check_connection, ipadb_simple_search, ipa_get_init_data, down to a call at ipa_kdb_certauth.c:133 to ipadb_get_context which returns wrong ipactx. Then, up the hill, it gets to krb5_db_get_context in kdb5.c where some KRB5_* macro gets into the game. I did not follow farther, IPA devs might orient better here. Hope this makes sense.

Comment 6 Florence Blanc-Renaud 2017-11-03 12:56:08 UTC

When ipa-server package is installed, the file /etc/krb5.conf.d/ipa-certauth is installed on the machine.

The default file /etc/krb5.conf contains the "includedir /etc/krb5.conf.d/" statement that ensures all config files in this path are read -> /etc/krb5.conf.d/ipa-certauth is used even though IPA is not installed.

The file /etc/krb5.conf.d/ipa-certauth defines the ipadb.so plugin, which gets called on krb5 hooks. The issue is that the methods defined in ipa_kdb_certauth.c do not check if IPA is installed before execution and probably lack some initialization.

Comment 7 Alexander Bokovoy 2017-11-06 13:42:48 UTC

Seems to happen because ipadb contains two plugins: kdb backend and certauth plugin at the same time. We definitely need to protect certauth from not using IPA LDAP codepath when IPA is not initialized:

9  ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, 
    basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, 
    filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", 
    attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176
#10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0)
    at ipa_kdb_certauth.c:160

Notice basedn, this is clearly a missing check on constructing basedn.

Comment 8 Florence Blanc-Renaud 2017-11-14 17:11:49 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7261

Comment 10 Christian Heimes 2018-02-08 09:38:59 UTC

Fixes have landed in master, 4.6 and 4.5 branch of upstream:

master:

    ec228f4 ipa-kdb: use magic value to check if ipadb is used

ipa-4-6:

    ebb89eb ipa-kdb: use magic value to check if ipadb is used

ipa-4-5:

    f7629b3 ipa-kdb: use magic value to check if ipadb is used

Comment 11 Christian Heimes 2018-02-08 09:40:55 UTC

Flo, please backport the fix to RHEL 7 package.

Comment 13 Martin Kosek 2018-02-08 10:38:27 UTC

(In reply to Christian Heimes from comment #10)
> Fixes have landed in master, 4.6 and 4.5 branch of upstream:

This should translate in POST state, rather then MODIFIED then.

Comment 15 Mohammad Rizwan 2018-08-17 10:04:24 UTC

version:
ipa-server-4.6.4-5.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
krb5-pkinit-1.15.1-34.el7.x86_64
krb5-workstation-1.15.1-34.el7.x86_64

Steps:
1. Install ipa-server package and make sure certauth plugin points to ipadb.so
# cat /etc/krb5.conf.d/ipa-certauth 
[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }


2. Do not setup ipa server, just create certs and set up KDC with pkinit

For generating kdc client and ca certs, https://github.com/freeipa/freeipa-tools/raw/master/makepki.py is used. Script will create directory "pki" and certs can be found in it.

$ cp pki/ca1/client-kdc.crt /var/kerberos/krb5kdc/kdc.pem
$ cp pki/ca1/client-kdc.key /var/kerberos/krb5kdc/kdckey.pem

$ cp pki/ca1/client.crt /etc/krb5/client.pem
$ cp pki/ca1/client.key /etc/krb5/clientkey.pem

$ cp pki/ca1.crt /etc/krb5/cacert.pem
$ cp pki/ca1.crt /var/kerberos/krb5kdc/cacert.pem


# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 EXAMPLE.COM = {
  pkinit_anchors = FILE:/etc/krb5/cacert.pem
  pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

# cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
 pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 EXAMPLE.COM = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

3. $ kdb5_util create -s

4. Configure a principal with preath required.
   $ kadmin.local -q "addprinc  +requires_preauth  user"

5. $ systemctl start krb5kdc.service and 
   $ systemctl start kadmin.service

5. kinit user


Actual result:
make sure ipa is not configured but packages installed.
[root@master ~]# rpm -qa | grep ipa-server
tmp-ipa-server-rhel76-shared-20180705131021-0.noarch
ipa-server-common-4.6.4-5.el7.noarch
ipa-server-4.6.4-5.el7.x86_64

[root@master ~]# ipa help topics
IPA client is not configured on this system

[root@master ~]# kinit test101
Password for test101: 
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_7xxS34q
Default principal: test101

Valid starting       Expires              Service principal
08/17/2018 15:16:05  08/18/2018 15:16:01  krbtgt/EXAMPLE.COM


Expected result:
kinit success and no segfault.

Comment 18 Mohammad Rizwan 2018-08-17 10:14:01 UTC

Based on observations in https://bugzilla.redhat.com/show_bug.cgi?id=1505925#c15 , marking the bug verified.

Comment 20 errata-xmlrpc 2018-10-30 10:57:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187

Note You need to log in before you can comment on or make changes to this bug.