Univention Bugzilla – Bug 46292
4.3 master, 4.2 backup with s4connector, connector on backup segfaults
Last modified: 2019-03-01 21:00:49 CET
During the update to 4.3 on the master, the ucs-sso user is created with these krb5 keys userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA= krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw== krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv this causes a segfault in the s4connector (python heimdal bindings) and s4search-decode -> univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode ...userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA= krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 23 # krb5_keytype: arcfour-hmac-md5 # krb5_keytype: arcfour-hmac-md5 (23) # keyblock: 1k8wegm/+pjNKG0JluZkzw== # as NThash: D64F307A09BFFA98CD286D0996E664CF # saltstring: FOUR.TWOucs-sso krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 3 # krb5_keytype: des-cbc-md5 # krb5_keytype: des-cbc-md5 (3) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 19 Speicherzugriffsfehler (Speicherabzug geschrieben) now a with skipping the broken keys -> univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode ... uid: ucs-sso sambaBadPasswordTime: 0 userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA= krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 23 # krb5_keytype: arcfour-hmac-md5 # krb5_keytype: arcfour-hmac-md5 (23) # keyblock: 1k8wegm/+pjNKG0JluZkzw== # as NThash: D64F307A09BFFA98CD286D0996E664CF # saltstring: FOUR.TWOucs-sso krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 3 # krb5_keytype: des-cbc-md5 # krb5_keytype: des-cbc-md5 (3) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 19 SKIPPING krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw== # krb5_keytype: 16 # krb5_keytype: des3-cbc-sha1 # krb5_keytype: des3-cbc-sha1 (16) # keyblock: GQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHl # saltstring: FOUR.TWOucs-sso krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 20 SKIPPING krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 1 # krb5_keytype: des-cbc-crc # krb5_keytype: des-cbc-crc (1) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 17 # krb5_keytype: aes128-cts-hmac-sha1-96 # krb5_keytype: aes128-cts-hmac-sha1-96 (17) # keyblock: rPDps5hY83xPSTD+737lmQ== # saltstring: FOUR.TWOucs-sso krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 2 # krb5_keytype: des-cbc-md4 # krb5_keytype: des-cbc-md4 (2) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 18 # krb5_keytype: aes256-cts-hmac-sha1-96 # krb5_keytype: aes256-cts-hmac-sha1-96 (18) # keyblock: yv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbU= # saltstring: FOUR.TWOucs-sso
permitted enc types in 4.3 >>> import heimdal >>> c = heimdal.context() >>> c.get_permitted_enctypes() [aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, aes128-cts-hmac-sha256-128, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc] 4.2 > c.get_permitted_enctypes() [aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc] so aes256-cts-hmac-sha384-192, aes128-cts-hmac-sha256-128 are new in 4.3
Ok, I guess we need to skip generating the new added types aes256-cts-hmac-sha384-192 (20) and aes128-cts-hmac-sha256-128 (19) in users/user
krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: aes128-cts-hmac-sha256-128 # krb5_keytype: aes128-cts-hmac-sha256-128 (19) # keyblock: giyNOyk+ySwO1IMVuZRHRg== # saltstring: FOUR.TWOucs-sso krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw== # krb5_keytype: des3-cbc-sha1 # krb5_keytype: des3-cbc-sha1 (16) # keyblock: GQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHl # saltstring: FOUR.TWOucs-sso krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: aes256-cts-hmac-sha384-192 # krb5_keytype: aes256-cts-hmac-sha384-192 (20)
Also, users/user (or rather python-heimdal) should respect the "permitted_enctypes" setting specified in /etc/krb5.conf. Felix also rightly suggests to restrict univention-python-heimdal to only tread the types it actually supports and to skip others. We may want to backport that also to UCS 4.2-3.
(1) we have set the default enc types in 4.3 to those permitted in 4.2, see defaults in conffiles/etc/krb5.conf (In reply to Arvid Requate from comment #4) > Also, users/user (or rather python-heimdal) should respect the > "permitted_enctypes" setting specified in /etc/krb5.conf. > > Felix also rightly suggests to restrict univention-python-heimdal to only > tread the types it actually supports and to skip others. We may want to > backport that also to UCS 4.2-3. (2) yes we should fix (a) univention-python-heimdal.enctype.c enctype_string() to not segfault for unknown enctypes (b) and maybe univention-s4-connector/modules/univention/s4connector/s4/password.py calculate_supplementalCredentials and univention-samba4/s4search-decode decode_krb5Key to ignore unknown enctypes --- /usr/sbin/s4search-decode.o 2018-02-15 14:20:06.445811000 +0100 +++ /usr/sbin/s4search-decode 2018-02-15 14:18:29.929811000 +0100 @@ -48,6 +48,7 @@ from datetime import datetime context = None +permitted_enctypes = [] keytypes = { 1: 'des_crc', @@ -74,10 +75,20 @@ def decode_krb5Key(value): + global context + global permitted_enctypes + if not context: + context = heimdal.context() + if not permitted_enctypes: + for enc in context.get_permitted_enctypes(): + permitted_enctypes.append(enc.toint()) k = binascii.a2b_base64(value) (keyblock, salt, kvno) = heimdal.asn1_decode_key(k) enctype = keyblock.keytype() enctype_id = enctype.toint() + if enctype_id not in permitted_enctypes: + print "# SKIPPING ENC type %s, not support by heimdal" % enctype_id + return print "#\tkrb5_keytype: %s (%d)" % (enctype, enctype_id) key_data = keyblock.keyvalue() print "#\tkeyblock: ", binascii.b2a_base64(key_data).strip() (2) should also be backported to 4.2-3
Created attachment 9391 [details] manually_filter_permitted_enctypes.patch Ok, Heimdal 7.1 has additional keys in "default_etypes", and it doesn't sonsidter the "permitted_enctypes" option in krb5.conf. So I created the attached patch to filter the enctypes manually. When I was ready with that I discovered that the options * permitted_enctypes * default_tgs_enctypes * default_tkt_enctypes are actually MIT Kerberos options and marked as such in the Heimdal krb5.conf parser. That's Bug 36542. I now fixed it by adjusting the UCR template to use the corresponding Heimdal options.
For compatibility reasons I've kept the MIT specific options too.
I would like patch univention-samba4 and univention-s4-connector to ignore krb5keys with unsupported enctypes (see patches). We should also backport this to 4.2-3.
Created attachment 9392 [details] univention-s4-connector.patch
Created attachment 9393 [details] univention-samba4.patch
Adjusted with commit e554b41680, packages rebuilt.
FAIL - changelog OK - univention-samba4 univention-ldapsearch uid=test1| ldapsearch-wrapper | s4search-decode ... krb5Key:: MDShGzAZoAMCAROhEgQQuuM6vxGbZy9NcK1bnwQREKIVMBOgAwIBA6EMBApGQi5CRnRlc3Qx # SKIPPING ENC type 19, not support by this Heimdal version krb5Key:: MEShKzApoAMCARShIgQgPrt3cs3IlfJI8Zkxn+1wDsiIx1MlPi3g+RzbC77OhYuiFTAToAMCAQOhDAQKRkIuQkZ0ZXN0MQ== # SKIPPING ENC type 20, not support by this Heimdal version ... OK - univention-s4-connector 16.02.2018 11:09:45,606 LDAP (PROCESS): sync from ucs: [ user] [ add] cn=test2,DC=four,DC=two 16.02.2018 11:09:45,659 LDAP (WARNING): calculate_supplementalCredentials: ignoring enctype '19', not supported by heimdal 16.02.2018 11:09:45,659 LDAP (WARNING): calculate_supplementalCredentials: ignoring enctype '20', not supported by heimdal 16.02.2018 11:09:45,719 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=test2,DC=four,DC=two 16.02.2018 11:09:45,747 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=test2,DC=four,DC=two
> FAIL - changelog Sigh, it's a regression that occurred during development of UCS 4.3. I've added the bug number to the existing entry for Bug 36542.
(In reply to Arvid Requate from comment #13) > > FAIL - changelog > > Sigh, it's a regression that occurred during development of UCS 4.3. I've > added the bug number to the existing entry for Bug 36542. yes, your are right, that should be enough
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".