RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1875001 - It is not possible to edit KDC database when the FreeIPA server is running
Summary: It is not possible to edit KDC database when the FreeIPA server is running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-02 17:48 UTC by Filip Dvorak
Modified: 2021-05-18 15:49 UTC (History)
9 users (show)

Fixed In Version: ipa-4.9.0-0.1.rc1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:48:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Filip Dvorak 2020-09-02 17:48:52 UTC
Description of problem:
When the FreeIPA server is running it is not possible to edit a KDC database with the help of "kadmin.local".

Version-Release number of selected component (if applicable):
RHEL-8.3
ipa-server-4.8.7-10.module+el8.3.0+7702+ced5f219.x86_64
krb5-server-debuginfo-1.18.2-5.el8.x86_64

Steps to Reproduce:
1.Install FreeIPA server
ipa-server-install --hostname=$hostname -r $REALM -n $(hostname -d) -p Passwd -a Passwd --unattended --ip-address $ip_addr

2.kinit admin 
3.kadmin.local
4.getprincs

Actual results:
# kadmin.local 
Authenticating as principal admin/admin with password.
kadmin.local:  getprincs
get_principals: Server error while retrieving list.


Expected results:
getprincs should show principals in KDC database.

Comment 1 Robbie Harwood 2020-09-02 17:56:32 UTC
(For ease of debugging, this can also be observed using `kadmin.local getprincs`.)

Unfortunately I don't have a patch, but here's my notes.

- kadmin.local translates getprincs into iteration for '*'
- ipadb_iterate gets called for match_entry '*'
- ipadb_fetch_principals gets called, with principal '*'
- that shim turns into ipadb_fetch_principals_with_Extr_filter: filter is NULL, principal is '*'
  -> esc_original_princ is *
  -> src_filter is "(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=*)))"
- ipadb_simple_search gets called with filter ^
- ... into ldap_search_ext_s
- ... into ldap_pvt_search, which returns -7

and that error code is propogated back up.

While we don't support editing the KDB through kadmin.local, we do need getprincs/getprinc to work - i.e., read-only accces - for our testing scripts (including what Filip runs for our QE).

Comment 2 Alexander Bokovoy 2020-09-08 11:03:36 UTC
I can reproduce this with a simple ldapsearch and the error happens in openldap's libldap where it cannot parse the filter if that one includes '*' in the 'krbprincipalname:caseIgnoreIA5Match:=*' term.

# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA-TEST.socket '(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=*)))'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=test> (default) with scope subtree
# filter: (&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=*)))
# requesting: ALL
#

ldap_search_ext: Bad search filter (-7)

If I'd replace the last '*' with any other value, it matches:

# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA-TEST.socket '(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=admin)))'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=test> (default) with scope subtree
# filter: (&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=admin)))
# requesting: ALL
#

...

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

Comment 3 Alexander Bokovoy 2020-09-08 11:08:12 UTC
RFC 4515 section 3 defines the value used to assert as AssertionValue from https://tools.ietf.org/html/rfc4511#section-4.1.6:

assertionvalue = valueencoding
      ; The <valueencoding> rule is used to encode an <AssertionValue>
      ; from Section 4.1.6 of [RFC4511].
      valueencoding  = 0*(normal / escaped)
      normal         = UTF1SUBSET / UTFMB
      escaped        = ESC HEX HEX
      UTF1SUBSET     = %x01-27 / %x2B-5B / %x5D-7F
                          ; UTF1SUBSET excludes 0x00 (NUL), LPAREN,
                          ; RPAREN, ASTERISK, and ESC.
      EXCLAMATION    = %x21 ; exclamation mark ("!")
      AMPERSAND      = %x26 ; ampersand (or AND symbol) ("&")
      ASTERISK       = %x2A ; asterisk ("*")
      COLON          = %x3A ; colon (":")
      VERTBAR        = %x7C ; vertical bar (or pipe) ("|")
      TILDE          = %x7E ; tilde ("~")

   Note that although both the <substring> and <present> productions in
   the grammar above can produce the "attr=*" construct, this construct
   is used only to denote a presence filter.

   The <valueencoding> rule ensures that the entire filter string is a
   valid UTF-8 string and provides that the octets that represent the
   ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
   0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
   backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
   representing the value of the encoded octet.

If I'd use '%x2A' instead of the asterisk in the filter, it returns me all expected values:

# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA-TEST.socket '(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=%x2A)))'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=test> (default) with scope subtree
# filter: (&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal)(objectclass=ipakrbprincipal))(|(ipakrbprincipalalias=*)(krbprincipalname:caseIgnoreIA5Match:=%x2A)))
# requesting: ALL
#

...

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

Comment 4 Petr Čech 2020-09-09 11:07:59 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8490

Comment 6 Rob Crittenden 2020-09-10 19:36:10 UTC
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/ec8a560392c89da96a805e9779eaa2041dd992c1
https://pagure.io/freeipa/c/f316d0118b8b00207e8d005f20d5de837c46a220

Test in ipatests/test_ipaserver/test_kadmin.py::TestKadmin::test_getprincs

Comment 14 Kaleem 2020-12-17 15:39:08 UTC
Verified based on following info

Snip from runner.log for IPA Version:
------------------------------------
2020-12-17T14:33:33+0000 TASK [List installed IPA packages version] *************************************
2020-12-17T14:33:34+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2020-12-17T14:33:34+0000   msg:
2020-12-17T14:33:34+0000   - arch: x86_64
2020-12-17T14:33:34+0000     epoch: null
2020-12-17T14:33:34+0000     name: ipa-server
2020-12-17T14:33:34+0000     release: 0.5.rc3.module+el8.4.0+9124+ced20601
2020-12-17T14:33:34+0000     source: rpm
2020-12-17T14:33:34+0000     version: 4.9.0

Snip from test-result.xt:
-------------------------
Test "ipatests/test_ipaserver/test_kadmin.py::TestKadmin::test_getprincs" for this bugzilla is successful as per following details from the test run.

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 159 items

....
.......
......
test_ipaserver/test_kadmin.py::TestKadmin::test_create_keytab[service_in_kerberos_subtree] PASSED [ 16%]
test_ipaserver/test_kadmin.py::TestKadmin::test_create_keytab[service_in_service_subtree] PASSED [ 17%]
test_ipaserver/test_kadmin.py::TestKadmin::test_change_key[service_in_kerberos_subtree] PASSED [ 18%]
test_ipaserver/test_kadmin.py::TestKadmin::test_change_key[service_in_service_subtree] PASSED [ 18%]
test_ipaserver/test_kadmin.py::TestKadmin::test_append_key[service_in_kerberos_subtree] PASSED [ 19%]
test_ipaserver/test_kadmin.py::TestKadmin::test_append_key[service_in_service_subtree] PASSED [ 20%]
test_ipaserver/test_kadmin.py::TestKadmin::test_getprincs PASSED         [ 20%]
.....
test_ipaserver/test_install/test_service.py::test_format_seconds PASSED  [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
=========================== short test summary info ============================
SKIP [1] /usr/lib/python3.6/site-packages/ipatests/test_ipaserver/test_ldap.py:96: No directory manager password in /root/.ipa/.dmpw
SKIP [1] /usr/lib/python3.6/site-packages/ipatests/test_ipaserver/test_ldap.py:122: No directory manager password in /root/.ipa/.dmpw
SKIP [1] test_ipaserver/test_ldap.py:249: Python 2 only
SKIP [1] test_ipaserver/test_topology_plugin.py:35: You did not provide a .dmpw file with the DM password
============== 155 passed, 4 skipped, 6 warnings in 20.15 seconds ==============

Comment 16 errata-xmlrpc 2021-05-18 15:48:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846


Note You need to log in before you can comment on or make changes to this bug.