923909 – 389-ds-base cannot handle Kerberos tickets with PAC

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 923909 - 389-ds-base cannot handle Kerberos tickets with PAC

Summary: 389-ds-base cannot handle Kerberos tickets with PAC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rich Megginson
QA Contact:	Sankar Ramalingam
Docs Contact:
URL:
Whiteboard:
Depends On:	923879
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-20 17:18 UTC by Nathan Kinder
Modified:	2020-09-13 20:26 UTC (History)
CC List:	10 users (show)
Fixed In Version:	389-ds-base-1.2.11.15-22.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Default sasl io buffer size was too small Consequence: SASL connections could be refused Fix: Increased the sasl io buffer size Result: SASL connections are accepted.
Clone Of:	923879
Environment:
Last Closed:	2013-11-21 21:06:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
git patch file 1 (9.70 KB, patch) 2013-04-10 23:13 UTC, Noriko Hosoi	no flags	Details \| Diff
git patch file 2 (2.49 KB, patch) 2013-04-10 23:14 UTC, Noriko Hosoi	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 632	0	None	None	None	2020-09-13 20:26:29 UTC
Red Hat Product Errata	RHBA-2013:1653	0	normal	SHIPPED_LIVE	389-ds-base bug fix update	2013-11-20 21:53:19 UTC

Description Nathan Kinder 2013-03-20 17:18:12 UTC

+++ This bug was initially created as a clone of Bug #923879 +++

Description of problem:
When FreeIPA is configured with AD trust support, Kerberos tickets may also contain PAC which makes them bigger than usually expected (bigger than 2048 B) - 389-ds-base SASL layer does not accept that.

# ipa-adtrust-install 
...
  [11/19]: activating sidgen plugin and task
  [12/19]: activating extdom plugin
  [13/19]: configuring smbd to start on boot
  [14/19]: adding special DNS service records
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-F19-AD-TEST.socket': 

# service dirsrv@F19-AD-TEST status
Redirecting to /bin/systemctl status  dirsrv
dirsrv - 389 Directory Server F19-AD-TEST.
	  Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
	  Active: active (running) since Wed 2013-03-20 15:54:11 CET; 47min ago
	Main PID: 16664 (ns-slapd)
	  CGroup: name=systemd:/system/dirsrv@.service/F19-AD-TEST
		  &#9492;&#9472;16664 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-F19-AD-TEST -i /var/run/dirsrv/slap...

Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:30 ipa.f19.ad.test ns-slapd[16664]: encoded packet size too big (3014 > 2048)

/var/log/dirsrv/slapd-F19-AD-TEST/errors:
[20/Mar/2013:15:54:10 +0100] - slapd stopped.
[20/Mar/2013:15:54:11 +0100] - 389-Directory/1.3.0.4 B2013.072.1657 starting up
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should be added before the CoS Definition.
[20/Mar/2013:15:54:12 +0100] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should be added before the CoS Definition.
[20/Mar/2013:15:54:12 +0100] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[20/Mar/2013:15:54:12 +0100] - Listening on All Interfaces port 636 for LDAPS requests
[20/Mar/2013:15:54:12 +0100] - Listening on /var/run/slapd-F19-AD-TEST.socket for LDAPI requests
[20/Mar/2013:16:41:29 +0100] - sasl_io_recv failed to decode packet for connection 23

This section in the 389-ds-base source code looks to be blamed:

$ find -type f | xargs grep -C 5 maxbufsize
./ldap/servers/slapd/saslbind.c-            prop_request(propctx, dn_propnames);
./ldap/servers/slapd/saslbind.c-        }
./ldap/servers/slapd/saslbind.c-    }
./ldap/servers/slapd/saslbind.c-
./ldap/servers/slapd/saslbind.c-    /* Enable security for this connection */

./ldap/servers/slapd/saslbind.c:    secprops.maxbufsize = 2048; /* DBDB: hack */

./ldap/servers/slapd/saslbind.c-    secprops.max_ssf = 0xffffffff;
./ldap/servers/slapd/saslbind.c-    secprops.min_ssf = config_get_minssf();
./ldap/servers/slapd/saslbind.c-    /* If anonymous access is disabled, set the appropriate flag */
./ldap/servers/slapd/saslbind.c-    if (config_get_anon_access_switch() != SLAPD_ANON_ACCESS_ON) {
./ldap/servers/slapd/saslbind.c-        secprops.security_flags = SASL_SEC_NOANONYMOUS;


Version-Release number of selected component (if applicable):
389-ds-base-1.3.0.4-1.fc19.x86_64

How reproducible:

Steps to Reproduce:
1. Install freeipa-* packages
2. Run ipa-server-install
3. Run ipa-adtrust-install
  
Actual results:
ipa-adtrust-install crashes due to issue described above.

Expected results:
389-ds-base accepts tickets with PAC and installer does not crash.

Additional info:

--- Additional comment from Martin Kosek on 2013-03-20 13:00:55 EDT ---

I just verified that by increasing this value, FreeIPA fixes too.

Comment 2 Nathan Kinder 2013-03-20 18:16:40 UTC

Upstream ticket:
https://fedorahosted.org/389/ticket/632

Comment 3 Noriko Hosoi 2013-04-10 23:13:24 UTC

Created attachment 733920 [details]
git patch file 1

Bug Description:  When FreeIPA is configured with AD trust support, Kerberos
                  tickets may also contain PAC which makes them bigger than
                  usually expected (bigger than 2048 B)

Fix Description:  Make the default 64k(65536), and allow it to be configurable
                  using: nsslapd-sasl-max-buffer-size
https://fedorahosted.org/389/ticket/632

Comment 4 Noriko Hosoi 2013-04-10 23:14:22 UTC

Created attachment 733921 [details]
git patch file 2

Bug Description:  After upgrading the server fails to start because the Root DN
                  access control plugin's entry changed to include nsslapd-Plugin
                  objectclass.

Fix Description:  Update the schema to allow nsslapd-plugin-depends-on-type in
                  the nsslapdPlugin objectclass.

Comment 5 Rob Crittenden 2013-04-18 19:52:51 UTC

This bug opened during FreeIPA Test day seems related, but he hasn't configured trust: https://bugzilla.redhat.com/show_bug.cgi?id=953653

Comment 10 Ján Rusnačko 2013-08-01 11:35:18 UTC

Please, add verification steps (for tet) - or will this be automated in FreeIPA ?

Comment 11 Martin Kosek 2013-08-01 12:49:46 UTC

We do not automate it in FreeIPA, we did not have issue with it in RHEL.

In Fedora 19, the reproduction was simple:

# yum install ipa-server ipa-server-trust-ad
# ipa-server-install
... follow wizard to configure IPA server
# ipa-adtrust-install
... crashed during the middle due to this buffer limitation (see Steps to reproduce bove)

Comment 12 Rich Megginson 2013-08-01 13:58:12 UTC

Mark, were you able to reproduce this issue outside of IPA?

Comment 13 mreynolds 2013-08-01 14:39:07 UTC

No, I was not able to.

Comment 15 Ján Rusnačko 2013-08-13 11:12:23 UTC

Testcase in schema/runschema.

Comment 16 Ján Rusnačko 2013-08-26 15:33:04 UTC

[jrusnack@dstet schema]$ grep "nsslapdPlugin" 01core389.ldif 
objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea ) X-ORIGIN 'Netscape Directory Server' )
[jrusnack@dstet schema]$ rpm -qa | grep 389
389-ds-base-debuginfo-1.2.11.15-22.el6.x86_64
389-ds-base-1.2.11.15-22.el6.x86_64
389-ds-base-libs-1.2.11.15-22.el6.x86_64

Tests failed - nsslapdPlugin does not contain nsslapd-plugin-depends-on-type. Hence putting back to ASSIGNED.

Comment 17 Sankar Ramalingam 2013-09-03 16:56:40 UTC

[root@hp-dl380pgen8-02-vm-15 schema]# grep "nsslapdPlugin" 01core389.ldif 
objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea $ nsslapd-plugin-depends-on-type ) X-ORIGIN 'Netscape Directory Server' )
[root@hp-dl380pgen8-02-vm-15 schema]# rpm -qa 389-ds-base
389-ds-base-1.2.11.15-23.el6.i686

The latest build shows that the attribute "nsslapd-plugin-depends-on-type" exists in the schema. So, you can go ahead and flip the bugzilla back to Verified state.

Comment 18 Ján Rusnačko 2013-09-04 14:12:14 UTC

Marking verified as per comment https://bugzilla.redhat.com/show_bug.cgi?id=923909#c17

Comment 19 errata-xmlrpc 2013-11-21 21:06:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1653.html

Note You need to log in before you can comment on or make changes to this bug.