Bug 44912 - Add error message to pwd_scheme_kinit overlay module
Add error message to pwd_scheme_kinit overlay module
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Florian Best
Arvid Requate
:
Depends on:
Blocks: 44382
  Show dependency treegraph
 
Reported: 2017-06-30 14:34 CEST by Florian Best
Modified: 2017-07-26 14:39 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Ticket number:
Bug group (optional): Error handling, Troubleshooting, Usability
Max CVSS v3 score:


Attachments
fill_sr_text.scratch (1.48 KB, patch)
2017-07-10 20:57 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-06-30 14:34:09 CEST
The overlay module pwd_scheme_kinit (Bug #35092) doesn't report meaningful error messages:
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}

This happens very often in UCS-in-Active Directory environments with an unknown reason (e.g. in our Jenkins tests and Bug #44382).

We should add a 'info' attribute to the error which contains the reason which we get from "kinit". There might me messages like "clock skewed".

Additionally there is a printf() in the code, which should be removed.
Comment 1 Florian Best univentionstaff 2017-06-30 14:35:08 CEST
"15_pwd_scheme_kinit.patch" needs to be adjusted in patches/openldap/....
Comment 2 Florian Best univentionstaff 2017-07-06 16:04:39 CEST
Talked with Howard Chu. It's not possible with this boolean-only library.
Maybe instead we can at least log something to syslog?
Comment 3 Florian Best univentionstaff 2017-07-06 16:25:34 CEST
(In reply to Florian Best from comment #2)
> Talked with Howard Chu. It's not possible with this boolean-only library.
> Maybe instead we can at least log something to syslog?
It's a security concern that password modules don't give valuable information to attackers.

When calling LUTIL_PASSWD_CHK_FUNC (in our case: kinit_chk()) we can pass a 4th argument (const char **text) containing a message which is displayed to the end user. But the constant needs to be set before we know any credentials. So this is not usable for us. Or can we hack this and pass something we can modify instead?
Comment 4 Arvid Requate univentionstaff 2017-07-10 20:57:13 CEST
Created attachment 9009 [details]
fill_sr_text.scratch

From the source code I see mdb_bind calling slap_passwd_check with
&(SlapReply *rs)->sr_text as the (const char **text) argument.

So kinit_chk should be able to assign a string to *text, similar to lutil_passwd_hash. See attached scratch.

That SlapReply structure finally gets send via send_ldap_result.
Comment 5 Arvid Requate univentionstaff 2017-07-10 20:58:29 CEST
Beware: no clue if KRB5KRB_AP_ERR_SKEW actually is a valid return code to check here.
Comment 6 Florian Best univentionstaff 2017-07-18 15:26:25 CEST
Thank you very much for this (new knowledge) :-)

I adapted the messages in the patch a little bit.
Using the error code KRB5KRB_AP_ERR_SKEW works.

r17625 | Bug #44912: add more specific error message to pwd_scheme_kinit overlay

openldap.yaml:
r81221 | YAML Bug #44912
Comment 7 Florian Best univentionstaff 2017-07-18 15:36:05 CEST
Should we expose the kerberos status code if it's an unknown error?:
Something like:
if (text) sprintf(text, "Unknown kerberos error %d during authentication.", k5_rc);
Comment 8 Florian Best univentionstaff 2017-07-19 10:43:32 CEST
On my system also the kerberos error "-1765328373 KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is negative or too short" occurred.
I added another error message for this: "The requested effective lifetime is negative or too short."

r17629 | Bug #44912: also handle KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is negative or too short

The results are already visible in the AD member tests:

http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-1/job/ADMemberMultiEnv/4/Mode=module,Version=w2k12-german-other-join-user/testReport/71_udm-settings/30_create_ldap_schema/test/

ldap.INVALID_CREDENTIALS: {'info': 'Unknown kerberos error during authentication.', 'desc': 'Invalid credentials'}
Comment 9 Daniel Tröder univentionstaff 2017-07-20 08:18:05 CEST
Update in errata scope fails:

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/ldap-utils_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap2-dev_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/slapd_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap-2.4-2_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein
Comment 10 Florian Best univentionstaff 2017-07-20 10:14:41 CEST
(In reply to Daniel Tröder from comment #9)
> Update in errata scope fails:
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/ldap-utils_2.4.
> 42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap2-dev_2.4.
> 42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/slapd_2.4.42+dfsg-2.
> A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap-2.4-2_2.4.
> 42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

Complain at Bug #45046!
Comment 11 Florian Best univentionstaff 2017-07-20 11:13:51 CEST
Fixed in version: 2.4.42+dfsg-2.A~4.2.0.201707201034
Comment 12 Arvid Requate univentionstaff 2017-07-25 19:17:45 CEST
Ok, I created a user, modified userPassword to {KINIT} and devastated my krb5.conf. Then I attempt to ldapsearch. After a timeout the syslog shows:

=======================================================================
master10 slapd[2213]: OVER: rs->sr_err != LDAP_SUCCESS on "uid=user1,dc=ar41i1,dc=qa" ERR: 0x31
master10 slapd[2213]: conn=1006 op=0 RESULT tag=97 err=49 text=No authentication server is available.
=======================================================================

The first line is from translog, the second shows your error message text, so that's cool.

In the patch I see that you use

  log_k5_rc("krb5_get_init_creds_password:", k5_rc, op);

as default, but not in the "known" error cases. I would suggest to generally to this.
Comment 13 Florian Best univentionstaff 2017-07-26 11:43:50 CEST
r17634 | Bug #44912: always log kerberos error message
Comment 14 Arvid Requate univentionstaff 2017-07-26 12:55:42 CEST
* Code review: Ok
* Functional test: Ok
* Advisory: Ok
Comment 15 Erik Damrose univentionstaff 2017-07-26 14:39:38 CEST
<http://errata.software-univention.de/ucs/4.2/100.html>