Bug 959999 - Corrupted custom krb5.conf file used by adcli
Summary: Corrupted custom krb5.conf file used by adcli
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: realmd
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Stef Walter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 959458
TreeView+ depends on / blocked
 
Reported: 2013-05-06 11:48 UTC by David Spurek
Modified: 2015-03-02 05:27 UTC (History)
7 users (show)

Fixed In Version: adcli-0.7-1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-13 15:09:48 UTC
Type: Bug


Attachments (Terms of Use)

Description David Spurek 2013-05-06 11:48:53 UTC
Description of problem:
Join the domain, but instead of specifying the domain name, specify the server host name. This test case not works. 

More informations you can find here:
https://fedoraproject.org/wiki/QA:Testcase_realmd_join_server

Version-Release number of selected component (if applicable):
realmd-0.13.91-1.fc19

How reproducible:
always

Steps to Reproduce:
1.realm join --user=Administrator <server host name>
2.
3.
  
Actual results:
Fail

Expected results:
Pass

Additional info:
host -t SRV _ldap._tcp.security.baseos.qe
_ldap._tcp.security.baseos.qe has SRV record 0 100 389 dc.security.baseos.qe.

realm join -v -U Amy dc.security.baseos.qe
 * Resolving: _ldap._tcp.dc._msdcs.dc.security.baseos.qe
 * Resolving: _ldap._tcp.dc.security.baseos.qe
 * Resolving: dc.security.baseos.qe
 * Sending MS-CLDAP ping to: 10.34.36.170
 * Performing LDAP DSE lookup on: 10.34.36.170
 * Successfully discovered: security.baseos.qe
Password for Amy: 
 * Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain security.baseos.qe --domain-realm SECURITY.BASEOS.QE --domain-controller dc.security.baseos.qe --login-type user --login-user Amy --stdin-password
 * Using domain name: security.baseos.qe
 * Calculated computer account name from fqdn: CLIENT
 * Using domain realm: security.baseos.qe
 * Sending cldap pings to domain controller: dc.security.baseos.qe
 * Received NetLogon info from: DC.security.baseos.qe
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-cQKlym/krb5.d/adcli-krb5-conf-Umffqe
 ! Failed to create kerberos context: Improper format of Kerberos configuration file
adcli: couldn't connect to security.baseos.qe domain: Failed to create kerberos context: Improper format of Kerberos configuration file
 ! Internal unexpected error joining the domain
realm: Couldn't join realm: Internal unexpected error joining the domain

Comment 1 Stef Walter 2013-05-06 11:50:53 UTC
This should be fixed by git commit '00e99ec714bba89c2c484fd90c12de600b7c0de0' in adcli.

Comment 2 Stef Walter 2013-05-06 12:15:48 UTC
There's a use-after-free memory corruption issue that causes adcli to write out invalid memory to its own temporary custom krb5.conf file.

Comment 3 Fedora Update System 2013-05-06 19:08:27 UTC
adcli-0.7-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/adcli-0.7-1.fc19

Comment 4 Fedora Update System 2013-05-07 20:45:40 UTC
Package adcli-0.7-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing adcli-0.7-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7599/adcli-0.7-1.fc19
then log in and leave karma (feedback).

Comment 5 Stef Walter 2013-05-13 15:09:48 UTC
This will be in fixed in Fedora 19 after this update: https://admin.fedoraproject.org/updates/FEDORA-2013-7599/adcli-0.7-1.fc19

Comment 6 Fedora Update System 2013-05-14 04:39:21 UTC
adcli-0.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.