First Last Prev Next    This bug is not in your last search results.
Bug 38736 - Improve error reporting in s4-connector password.py / python-heimdal
Improve error reporting in s4-connector password.py / python-heimdal
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Kerberos
UCS 4.2
Other Linux
: P5 enhancement (vote)
: UCS 4.4-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-19 18:33 CEST by Arvid Requate
Modified: 2020-03-11 14:41 CET (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Error handling
Max CVSS v3 score:
best: Patch_Available+

Attachments
improve_error_reporting_in_python_heimdal.patch (1.74 KB, patch)
2015-06-19 18:33 CEST, Arvid Requate 		Details | Diff
what_is_krb5_error_code.c (481 bytes, text/plain)
2015-06-19 21:01 CEST, Arvid Requate 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-06-19 18:33:10 CEST 
Created attachment 6971 [details]
improve_error_reporting_in_python_heimdal.patch

The error reporting of the S4-Connector password sync code needs improvement. Today we had a case where

(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)

returned:

Krb5Error: {'code': 1859794438}

For a non-expert it's impossible to understand what the problem is about.

There are error messages connected with the krb5_error_code numbers, but as far as I see the assignment is done generically during compilation, so I cannot find a single source file mentioning this number. We should make use of the kerberos library functions which translate these numbers into human readable messages, if possible. The attached patch may be a starting point. Probably we have to extend the API of python-heimdal asn1_decode_key and then adjust univention-s4-connector to use the extended API of that funtion.
Comment 1 Arvid Requate univentionstaff 2015-06-19 21:01:08 CEST 
Created attachment 6972 [details]
what_is_krb5_error_code.c

Meanwhile the attached program code may be useful to convert the error codes to the corresponding message:

shell# gcc what_is_krb5_error_code.c -o what_is_krb5_error_code -l krb5
shell# ./what_is_krb5_error_code 1859794438
ASN.1 identifier doesn't match expected value
Comment 2 Philipp Hahn univentionstaff 2019-12-18 17:32:06 CET 
grep 1859794438 /usr/include/heimdal/asn1_err.h 
#define ASN1_BAD_ID                              (1859794438L)

It's a "ASN1" error code, not a "KRB5" error code; univention-python-heimdal only known about the last.

Patch available as part of git:phahn/49139_dhpy2-heimdal
Comment 3 Philipp Hahn univentionstaff 2019-12-18 17:53:18 CET 
[4.4-3] bb118a0e46 Bug #50475,#49383,#38736 Heimdal: Merge branch 'phahn/49139_dhpy2-heimdal' into 4.4-3

Package: univention-python-heimdal
Version: 9.0.0-3A~4.4.0.201912181749
Branch: ucs_4.4-0
Scope: errata4.4-3

[4.4-3] 6740211353 Bug #50475: univention-python-heimdal 9.0.0-3A~4.4.0.201912181749
 doc/errata/staging/univention-python-heimdal.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Philipp Hahn univentionstaff 2019-12-18 18:27:42 CET 
Before:

# python -c 'import heimdal as h;h.asn1_decode_key("")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
heimdal.Krb5Error: {'code': 1859794434}

After:

# python -c 'import heimdal as h;h.asn1_decode_key("")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
heimdal.Krb5Error: ASN.1 encoding ended unexpectedly (1859794437)
Comment 5 Arvid Requate univentionstaff 2020-01-20 16:37:14 CET 
Verified:

* krb5_exception now uses krb5_get_error_message/krb5_free_error_message to retrieve the Heimdal error message from the supplied context.
* The Heimdal context is now handled consistently and passed to krb5_exception.
* Improved consistency of error handling in several functions.
* Advisory
Comment 6 Erik Damrose univentionstaff 2020-03-11 14:41:41 CET 
<http://errata.software-univention.de/ucs/4.4/477.html>
First Last Prev Next    This bug is not in your last search results.