Bug 694208 - krb5 backed by ldap performing excessive reference count during kinit throws error result: 11 Administrative limit exceeded
krb5 backed by ldap performing excessive reference count during kinit throws ...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
14
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-06 14:07 EDT by Jr Aquino
Modified: 2011-04-07 11:41 EDT (History)
3 users (show)

See Also:
Fixed In Version: 1.9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-07 11:41:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jr Aquino 2011-04-06 14:07:45 EDT
Description of problem:
krb5 backed by ldap performing excessive reference count during kinit throws error result: 11 Administrative limit exceeded
When kinit is called, a reference count is performed which looks for all objects which the kerberos policy is applied.  This is causing problems when the ldap return limit is set and a greater number of users exist to return.

Version-Release number of selected component (if applicable):
krb5-server-ldap-1.8.2-9.fc14.x86_64
krb5-server-1.8.2-9.fc14.x86_64
krb5-devel-1.8.2-9.fc14.x86_64
krb5-libs-1.8.2-9.fc14.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install and configure krb5kdc with the ldap backend
2. set an ns-slapd ldap search result limit greater than the number of users present
3. attempt to kinit a user.
  
Actual results:
#kinit username
kinit: Generic error (see e-text) while getting initial credentials

/var/log/krb5kdc.log: Apr 06 11:06:03 auth1.example.com krb5kdc[26469](info): AS_REQ (4 etypes {18 17 16 23}) 10.22.6.240: LOOKING_UP_CLIENT: username@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Administrative limit exceeded

Expected results:
Successful kinit

Additional info:
Comment 1 Rob Crittenden 2011-04-06 14:11:57 EDT
389-ds logged the query as:

SRCH base="dc=example,dc=com" scope=2 filter="(krbPwdPolicyReference=cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=expertcity,dc=com)" attrs="krbPwdPolicyReference"

It looks like a reference counter function, krb5_ldap_get_reference_count(), is the culprit. 

It looks like the 2 callers just want the result to be non-zero so we don't need an exact count. I think it should be enough to catch limit errors and return success (and a count of 1).
Comment 2 Jr Aquino 2011-04-07 11:41:56 EDT
This problem appears to be resolved in version 1.9 / FC15

I would be interested in understanding the delta that fixed this in 1.9, but this ticket can now be closed as the 'supported' version of the kdc + ldap doesn't have this issue.

Note You need to log in before you can comment on or make changes to this bug.