459524 – pam_ldap has some problems chasing referrals properly on expired passwords.

Bug 459524 - pam_ldap has some problems chasing referrals properly on expired passwords.

Summary: pam_ldap has some problems chasing referrals properly on expired passwords.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss_ldap
Sub Component:
Version:	5.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-08-19 17:37 UTC by Russell Miller
Modified:	2010-04-01 17:24 UTC (History)
CC List:	2 users (show)
Fixed In Version:	253-6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-04-01 17:24:08 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Russell Miller 2008-08-19 17:37:43 UTC

Description of problem:

When changing an expired password while using referrals, if the server actually changes the password while sending referrals, pam_ldap assumes that the password is changed and overwrites it.  However, the referral to the master is not yet chased, so binding to the master fails, thereby causing the password change to ultimately fail.

Version-Release number of selected component (if applicable):

nss_ldap-253-13.1

How reproducible:

Always

Steps to Reproduce:
1. Set up two fedora-DS servers, one a master, and one a slave.
2. Set up a referral from the slave to the master
3. Set up an expired user account.
4. Try to ssh to a server using the slave, and reset the password when requested
     (using exop).
5. Master fails the update with "invalid credentials".
  
Actual results:


Expected results:


Additional info:

The problem appears to be in the _update_authtok routine.  Commenting out the final block of code starting on line 3117:

/*  if (rc == LDAP_SUCCESS)
    {
      _pam_overwrite (session->info->userpw);
      _pam_drop (session->info->userpw);
      session->info->userpw = strdup (new_password);
      if (session->info->userpw == NULL)
        {
          rc = PAM_BUF_ERR;
        }
    } */

Appears to fix the problem.  I get "can't update shadowLastChange" after that, but it appears to be a different problem, and I can at least log in.

The fix I made is probably insecure.  Please work with me to find the correct fix.  I actually have support with redhat through my company, I will pass this bug report number on to our rep.  thanks.

Comment 1 Russell Miller 2008-08-20 00:02:31 UTC

More information:  I have reason to believe that this problem will manifest on a large network where the master is in another datacenter than the slave and the client.  It would make sense that the modification would be finished and the modification made on the client before it even gets a chance to connect to the master.  Therefore this sounds like a race condition to me.

My patch is likely wrong - what probably *should* happen is that the password should not be tossed until *all* referrals are chased.  If I get some time I'll try to figure out how to do that.

Comment 2 Russell Miller 2008-08-22 02:57:52 UTC

This bug can be closed.  I have tracked it down per support request 1851828 to be the fact that the server is not sending referrals on a password change.  Working with support to find a way around that.

Comment 3 Nalin Dahyabhai 2010-04-01 17:24:08 UTC

Sorry for the delay here.  Closing due to fixes in this area which should have gone out in 5.2.  Please reopen if you're still seeing this happen.

Note You need to log in before you can comment on or make changes to this bug.