Bug 43159 - Kerberos authentication causes server core dump
Kerberos authentication causes server core dump
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: openldap (Show other bugs)
7.1
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-01 12:13 EDT by Roger Moore
Modified: 2007-04-18 12:33 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-03 16:40:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Roger Moore 2001-06-01 12:13:55 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.2-2c1smp i686)

Description of problem:
When attempting to authenticate to the server using a Kerberos V5 password
and user record with userPassword={KERBEROS}user@KRB5.REALM the slapd
process core dumps.

How reproducible:
Always

Steps to Reproduce:
1. Setup slapd with TLS (I used the instructions from
   http://www.bayour.com/LDAPv3-HOWTO.html)
2. Add a user (format from migrate_passwd) with the password
   set to '{KERBEROS}<uid>@<krb5 realm>' filling in the '<>'
   correctly.
3. Run slapd with: '/usr/sbin/slapd -d -1 -h ldaps:///'
4. Attempt to authenticate to the LDAP server. The specific command
   I used was:
ldapsearch -x -D 'uid=rwmoore,ou=People,dc=clued0,dc=fnal,dc=gov' -W -b ""
-s base -LLL -H ldaps://ripon-clued0.fnal.gov/ supportedSASLMechanisms
 

Actual Results:  Slapd generates lots of debug output (due to the -d -1
flag) ending with:
	=> access_allowed: auth access granted by auth (=x)
	ldap_pvt_gethostbyname_a: host=ripon-clued0, r=0
	Segmentation fault (core dumped)


Expected Results:  A list of allowed SASL access methods should have been
printed.

Additional info:

f you type in the incorrect KRB5 password then you correctly get an access
denied message.
Including LDAP as a host resolution method in /etc/nsswitch.conf causes the
server to completely fail to respond.
I tried upgrading to OpenLDAP 2.0.9 and 2.0.11 using your RPM with minmal
modifications but was unsuccessful in getting the ldaps:/// to work. The
change log says that TLS was 'upgraded' but I could find no docs on how to
regenerate the certificates to work with the upgraded version and the old
certificates did not seem to work. The server was present on port 636 but
all the ldap clients reported 'unable to connect to LDAP server'.
Using gdb on the resulting core dump suggests that the crash occurs in
krb5_free_creds calling the 'free' method in malloc. Listed below is the
output from the gdb command 'where':

#0  0x4027cd32 in __libc_free (mem=0xbfffbae0) at malloc.c:3043
#1  0x40089878 in krb5_free_creds () at eval.c:41
#2  0x0808c48c in avl_dup_error () at eval.c:41
#3  0x0808ba15 in avl_dup_error () at eval.c:41
#4  0x0806c76d in aci_set_gather () at eval.c:41
#5  0x0807eaa2 in ldbm_back_bind () at eval.c:41
#6  0x080632ba in ch_free () at eval.c:41
#7  0x08052a70 in slap_sig_wake () at eval.c:41
#8  0x0808ff1d in avl_dup_error () at eval.c:41
#9  0x0805378f in slap_sig_wake () at eval.c:41
#10 0x08053473 in slap_sig_wake () at eval.c:41
#11 0x08053029 in slap_sig_wake () at eval.c:41
#12 0x08050c9c in strcpy () at ../sysdeps/generic/strcpy.c:31
#13 0x0808fddf in avl_dup_error () at eval.c:41
#14 0x08050eed in strcpy () at ../sysdeps/generic/strcpy.c:31
#15 0x0804dfc1 in strcpy () at ../sysdeps/generic/strcpy.c:31
#16 0x40219177 in __libc_start_main (main=0x804d910 <strcpy+352>, argc=5,
    ubp_av=0xbffff7dc, init=0x804c978 <_init>, fini=0x80aca2c <_fini>,
    rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff7cc)
    at ../sysdeps/generic/libc-start.c:129

I have tracked a krb5_free_creds down to libraries/liblutil/passwd.c but I
am not familiar enough with the KRB5 API to work out what is going wrong.
Comment 1 Nalin Dahyabhai 2001-07-03 18:09:51 EDT
This is a bad hunk in a patch we applied to get liblutil to build properly
on an older version of Kerberos (IIRC the krb5_free_cred_contents function
was once undefined).  Removing it keeps the server from dying.  This change
will pop up in openldap-2.0.11-5 and later in Raw Hide.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.