Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 923909

Summary: 389-ds-base cannot handle Kerberos tickets with PAC
Product: Red Hat Enterprise Linux 6 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Sankar Ramalingam <sramling>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4CC: edewata, jgalipea, jrusnack, lnovich, mkosek, mreynolds, nhosoi, nkinder, rcritten, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-22.el6 Doc Type: Bug Fix
Doc Text:
Cause: Default sasl io buffer size was too small Consequence: SASL connections could be refused Fix: Increased the sasl io buffer size Result: SASL connections are accepted.
 Story Points: ---
Clone Of: 923879 Environment:
Last Closed: 2013-11-21 21:06:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 923879    
Bug Blocks:    
Attachments:
Description Flags
git patch file 1
none
git patch file 2 none

Description Nathan Kinder 2013-03-20 17:18:12 UTC 
+++ This bug was initially created as a clone of Bug #923879 +++

Description of problem:
When FreeIPA is configured with AD trust support, Kerberos tickets may also contain PAC which makes them bigger than usually expected (bigger than 2048 B) - 389-ds-base SASL layer does not accept that.

# ipa-adtrust-install 
...
  [11/19]: activating sidgen plugin and task
  [12/19]: activating extdom plugin
  [13/19]: configuring smbd to start on boot
  [14/19]: adding special DNS service records
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-F19-AD-TEST.socket': 

# service dirsrv@F19-AD-TEST status
Redirecting to /bin/systemctl status  dirsrv
dirsrv - 389 Directory Server F19-AD-TEST.
	  Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
	  Active: active (running) since Wed 2013-03-20 15:54:11 CET; 47min ago
	Main PID: 16664 (ns-slapd)
	  CGroup: name=systemd:/system/dirsrv@.service/F19-AD-TEST
		  &#9492;&#9472;16664 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-F19-AD-TEST -i /var/run/dirsrv/slap...

Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:30 ipa.f19.ad.test ns-slapd[16664]: encoded packet size too big (3014 > 2048)

/var/log/dirsrv/slapd-F19-AD-TEST/errors:
[20/Mar/2013:15:54:10 +0100] - slapd stopped.
[20/Mar/2013:15:54:11 +0100] - 389-Directory/1.3.0.4 B2013.072.1657 starting up
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should be added before the CoS Definition.
[20/Mar/2013:15:54:12 +0100] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should be added before the CoS Definition.
[20/Mar/2013:15:54:12 +0100] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[20/Mar/2013:15:54:12 +0100] - Listening on All Interfaces port 636 for LDAPS requests
[20/Mar/2013:15:54:12 +0100] - Listening on /var/run/slapd-F19-AD-TEST.socket for LDAPI requests
[20/Mar/2013:16:41:29 +0100] - sasl_io_recv failed to decode packet for connection 23

This section in the 389-ds-base source code looks to be blamed:

$ find -type f | xargs grep -C 5 maxbufsize
./ldap/servers/slapd/saslbind.c-            prop_request(propctx, dn_propnames);
./ldap/servers/slapd/saslbind.c-        }
./ldap/servers/slapd/saslbind.c-    }
./ldap/servers/slapd/saslbind.c-
./ldap/servers/slapd/saslbind.c-    /* Enable security for this connection */

./ldap/servers/slapd/saslbind.c:    secprops.maxbufsize = 2048; /* DBDB: hack */

./ldap/servers/slapd/saslbind.c-    secprops.max_ssf = 0xffffffff;
./ldap/servers/slapd/saslbind.c-    secprops.min_ssf = config_get_minssf();
./ldap/servers/slapd/saslbind.c-    /* If anonymous access is disabled, set the appropriate flag */
./ldap/servers/slapd/saslbind.c-    if (config_get_anon_access_switch() != SLAPD_ANON_ACCESS_ON) {
./ldap/servers/slapd/saslbind.c-        secprops.security_flags = SASL_SEC_NOANONYMOUS;


Version-Release number of selected component (if applicable):
389-ds-base-1.3.0.4-1.fc19.x86_64

How reproducible:

Steps to Reproduce:
1. Install freeipa-* packages
2. Run ipa-server-install
3. Run ipa-adtrust-install
  
Actual results:
ipa-adtrust-install crashes due to issue described above.

Expected results:
389-ds-base accepts tickets with PAC and installer does not crash.

Additional info:

--- Additional comment from Martin Kosek on 2013-03-20 13:00:55 EDT ---

I just verified that by increasing this value, FreeIPA fixes too.
Comment 2 Nathan Kinder 2013-03-20 18:16:40 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/632
Comment 3 Noriko Hosoi 2013-04-10 23:13:24 UTC 
Created attachment 733920 [details]
git patch file 1

Bug Description:  When FreeIPA is configured with AD trust support, Kerberos
                  tickets may also contain PAC which makes them bigger than
                  usually expected (bigger than 2048 B)

Fix Description:  Make the default 64k(65536), and allow it to be configurable
                  using: nsslapd-sasl-max-buffer-size
https://fedorahosted.org/389/ticket/632
Comment 4 Noriko Hosoi 2013-04-10 23:14:22 UTC 
Created attachment 733921 [details]
git patch file 2

Bug Description:  After upgrading the server fails to start because the Root DN
                  access control plugin's entry changed to include nsslapd-Plugin
                  objectclass.

Fix Description:  Update the schema to allow nsslapd-plugin-depends-on-type in
                  the nsslapdPlugin objectclass.
Comment 5 Rob Crittenden 2013-04-18 19:52:51 UTC 
This bug opened during FreeIPA Test day seems related, but he hasn't configured trust: https://bugzilla.redhat.com/show_bug.cgi?id=953653
Comment 10 Ján Rusnačko 2013-08-01 11:35:18 UTC 
Please, add verification steps (for tet) - or will this be automated in FreeIPA ?
Comment 11 Martin Kosek 2013-08-01 12:49:46 UTC 
We do not automate it in FreeIPA, we did not have issue with it in RHEL.

In Fedora 19, the reproduction was simple:

# yum install ipa-server ipa-server-trust-ad
# ipa-server-install
... follow wizard to configure IPA server
# ipa-adtrust-install
... crashed during the middle due to this buffer limitation (see Steps to reproduce bove)
Comment 12 Rich Megginson 2013-08-01 13:58:12 UTC 
Mark, were you able to reproduce this issue outside of IPA?
Comment 13 mreynolds 2013-08-01 14:39:07 UTC 
No, I was not able to.
Comment 15 Ján Rusnačko 2013-08-13 11:12:23 UTC 
Testcase in schema/runschema.
Comment 16 Ján Rusnačko 2013-08-26 15:33:04 UTC 
[jrusnack@dstet schema]$ grep "nsslapdPlugin" 01core389.ldif 
objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea ) X-ORIGIN 'Netscape Directory Server' )
[jrusnack@dstet schema]$ rpm -qa | grep 389
389-ds-base-debuginfo-1.2.11.15-22.el6.x86_64
389-ds-base-1.2.11.15-22.el6.x86_64
389-ds-base-libs-1.2.11.15-22.el6.x86_64

Tests failed - nsslapdPlugin does not contain nsslapd-plugin-depends-on-type. Hence putting back to ASSIGNED.
Comment 17 Sankar Ramalingam 2013-09-03 16:56:40 UTC 
[root@hp-dl380pgen8-02-vm-15 schema]# grep "nsslapdPlugin" 01core389.ldif 
objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea $ nsslapd-plugin-depends-on-type ) X-ORIGIN 'Netscape Directory Server' )
[root@hp-dl380pgen8-02-vm-15 schema]# rpm -qa 389-ds-base
389-ds-base-1.2.11.15-23.el6.i686

The latest build shows that the attribute "nsslapd-plugin-depends-on-type" exists in the schema. So, you can go ahead and flip the bugzilla back to Verified state.
Comment 18 Ján Rusnačko 2013-09-04 14:12:14 UTC 
Marking verified as per comment https://bugzilla.redhat.com/show_bug.cgi?id=923909#c17
Comment 19 errata-xmlrpc 2013-11-21 21:06:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1653.html