Univention Bugzilla – Bug 38736
Improve error reporting in s4-connector password.py / python-heimdal
Last modified: 2020-03-11 14:41:41 CET
Created attachment 6971 [details] improve_error_reporting_in_python_heimdal.patch The error reporting of the S4-Connector password sync code needs improvement. Today we had a case where (keyblock, salt, kvno) = heimdal.asn1_decode_key(k) returned: Krb5Error: {'code': 1859794438} For a non-expert it's impossible to understand what the problem is about. There are error messages connected with the krb5_error_code numbers, but as far as I see the assignment is done generically during compilation, so I cannot find a single source file mentioning this number. We should make use of the kerberos library functions which translate these numbers into human readable messages, if possible. The attached patch may be a starting point. Probably we have to extend the API of python-heimdal asn1_decode_key and then adjust univention-s4-connector to use the extended API of that funtion.
Created attachment 6972 [details] what_is_krb5_error_code.c Meanwhile the attached program code may be useful to convert the error codes to the corresponding message: shell# gcc what_is_krb5_error_code.c -o what_is_krb5_error_code -l krb5 shell# ./what_is_krb5_error_code 1859794438 ASN.1 identifier doesn't match expected value
grep 1859794438 /usr/include/heimdal/asn1_err.h #define ASN1_BAD_ID (1859794438L) It's a "ASN1" error code, not a "KRB5" error code; univention-python-heimdal only known about the last. Patch available as part of git:phahn/49139_dhpy2-heimdal
[4.4-3] bb118a0e46 Bug #50475,#49383,#38736 Heimdal: Merge branch 'phahn/49139_dhpy2-heimdal' into 4.4-3 Package: univention-python-heimdal Version: 9.0.0-3A~4.4.0.201912181749 Branch: ucs_4.4-0 Scope: errata4.4-3 [4.4-3] 6740211353 Bug #50475: univention-python-heimdal 9.0.0-3A~4.4.0.201912181749 doc/errata/staging/univention-python-heimdal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Before: # python -c 'import heimdal as h;h.asn1_decode_key("")' Traceback (most recent call last): File "<string>", line 1, in <module> heimdal.Krb5Error: {'code': 1859794434} After: # python -c 'import heimdal as h;h.asn1_decode_key("")' Traceback (most recent call last): File "<string>", line 1, in <module> heimdal.Krb5Error: ASN.1 encoding ended unexpectedly (1859794437)
Verified: * krb5_exception now uses krb5_get_error_message/krb5_free_error_message to retrieve the Heimdal error message from the supplied context. * The Heimdal context is now handled consistently and passed to krb5_exception. * Improved consistency of error handling in several functions. * Advisory
<http://errata.software-univention.de/ucs/4.4/477.html>