Bug 46301 - 4.3 master, 4.2 backup with s4connector, connector on backup segfaults
4.3 master, 4.2 backup with s4connector, connector on backup segfaults
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on: 46292
Blocks: 46298
  Show dependency treegraph
 
Reported: 2018-02-16 11:33 CET by Felix Botner
Modified: 2018-03-28 13:58 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
manually_filter_heimdal_enctypes.patch (5.65 KB, patch)
2018-02-16 13:16 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-02-16 11:33:10 CET
+++ This bug was initially created as a clone of Bug #46292 +++

During the update to 4.3 on the master, the ucs-sso user is created with these krb5 keys

userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA=
krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw==
krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv

this causes a segfault in the s4connector (python heimdal bindings) and s4search-decode


->  univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode 
...userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA=
krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 23
#	krb5_keytype: arcfour-hmac-md5
#	krb5_keytype: arcfour-hmac-md5 (23)
#	keyblock:  1k8wegm/+pjNKG0JluZkzw==
#	as NThash: D64F307A09BFFA98CD286D0996E664CF
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 3
#	krb5_keytype: des-cbc-md5
#	krb5_keytype: des-cbc-md5 (3)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 19
Speicherzugriffsfehler (Speicherabzug geschrieben)


now a with skipping the broken keys

-> univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode 
...
uid: ucs-sso
sambaBadPasswordTime: 0
userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA=
krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 23
#	krb5_keytype: arcfour-hmac-md5
#	krb5_keytype: arcfour-hmac-md5 (23)
#	keyblock:  1k8wegm/+pjNKG0JluZkzw==
#	as NThash: D64F307A09BFFA98CD286D0996E664CF
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 3
#	krb5_keytype: des-cbc-md5
#	krb5_keytype: des-cbc-md5 (3)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 19
SKIPPING
krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw==
#	krb5_keytype: 16
#	krb5_keytype: des3-cbc-sha1
#	krb5_keytype: des3-cbc-sha1 (16)
#	keyblock:  GQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHl
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 20
SKIPPING
krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 1
#	krb5_keytype: des-cbc-crc
#	krb5_keytype: des-cbc-crc (1)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 17
#	krb5_keytype: aes128-cts-hmac-sha1-96
#	krb5_keytype: aes128-cts-hmac-sha1-96 (17)
#	keyblock:  rPDps5hY83xPSTD+737lmQ==
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 2
#	krb5_keytype: des-cbc-md4
#	krb5_keytype: des-cbc-md4 (2)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 18
#	krb5_keytype: aes256-cts-hmac-sha1-96
#	krb5_keytype: aes256-cts-hmac-sha1-96 (18)
#	keyblock:  yv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbU=
#	saltstring:  FOUR.TWOucs-sso
Comment 1 Arvid Requate univentionstaff 2018-02-16 12:24:30 CET
Nothing to be done here? Should be fixed by Bug 36542. If anything, that bug could be backported, but that's not strictly necessary currently.
Comment 2 Felix Botner univentionstaff 2018-02-16 12:50:41 CET
(In reply to Arvid Requate from comment #1)
> Nothing to be done here? Should be fixed by Bug 36542. If anything, that bug
> could be backported, but that's not strictly necessary currently.

I would like to see the univention-s4-connector and univention-samba4 patches from Bug #46292 merged to 4.2-3. Just to make sure the connector does not segfault with "invalid" krb5keys.

Yes, this is not necessary (as we fixed the enctypes  in 4.3), but in the very unlikely situation that somebody fiddled around with e.g kerberos/defaults/enctypes/tgs it could happen, so in my opinion we should better make sure the connector can handle this
Comment 3 Arvid Requate univentionstaff 2018-02-16 13:16:29 CET
Created attachment 9394 [details]
manually_filter_heimdal_enctypes.patch

Ok, I understand, this is the patch from Bug #46292.
Comment 4 Felix Botner univentionstaff 2018-03-19 18:33:55 CET
cherry picked commit from 4.3-0 to 4.2-3

univention-samba4 univention-s4-connector
66c6f53b2987ac5096048b4d78205d65f36739cc

fixed bug number
c1ac1932b8148cda924a168873b076ba843a8c8e

yaml
c7b78cfac5c9e2ade7708013be3b7681c52e28d1
Comment 5 Arvid Requate univentionstaff 2018-03-27 19:09:29 CEST
Backport ok, Advisory too.