Bug 44912
| Summary: | Add error message to pwd_scheme_kinit overlay module | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Florian Best <best> |
| Component: | LDAP | Assignee: | Florian Best <best> |
| Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann, requate, troeder |
| Version: | UCS 4.2 | ||
| Target Milestone: | UCS 4.2-1-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=45046 | ||
| What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Error handling, Troubleshooting, Usability | |
| Max CVSS v3 score: | |||
| Bug Depends on: | |||
| Bug Blocks: | 44382, 45438 | ||
| Attachments: | fill_sr_text.scratch | ||
|
Description
Florian Best
"15_pwd_scheme_kinit.patch" needs to be adjusted in patches/openldap/.... Talked with Howard Chu. It's not possible with this boolean-only library. Maybe instead we can at least log something to syslog? (In reply to Florian Best from comment #2) > Talked with Howard Chu. It's not possible with this boolean-only library. > Maybe instead we can at least log something to syslog? It's a security concern that password modules don't give valuable information to attackers. When calling LUTIL_PASSWD_CHK_FUNC (in our case: kinit_chk()) we can pass a 4th argument (const char **text) containing a message which is displayed to the end user. But the constant needs to be set before we know any credentials. So this is not usable for us. Or can we hack this and pass something we can modify instead? Created attachment 9009 [details]
fill_sr_text.scratch
From the source code I see mdb_bind calling slap_passwd_check with
&(SlapReply *rs)->sr_text as the (const char **text) argument.
So kinit_chk should be able to assign a string to *text, similar to lutil_passwd_hash. See attached scratch.
That SlapReply structure finally gets send via send_ldap_result.
Beware: no clue if KRB5KRB_AP_ERR_SKEW actually is a valid return code to check here. Thank you very much for this (new knowledge) :-) I adapted the messages in the patch a little bit. Using the error code KRB5KRB_AP_ERR_SKEW works. r17625 | Bug #44912: add more specific error message to pwd_scheme_kinit overlay openldap.yaml: r81221 | YAML Bug #44912 Should we expose the kerberos status code if it's an unknown error?: Something like: if (text) sprintf(text, "Unknown kerberos error %d during authentication.", k5_rc); On my system also the kerberos error "-1765328373 KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is negative or too short" occurred. I added another error message for this: "The requested effective lifetime is negative or too short." r17629 | Bug #44912: also handle KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is negative or too short The results are already visible in the AD member tests: http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-1/job/ADMemberMultiEnv/4/Mode=module,Version=w2k12-german-other-join-user/testReport/71_udm-settings/30_create_ldap_schema/test/ ldap.INVALID_CREDENTIALS: {'info': 'Unknown kerberos error during authentication.', 'desc': 'Invalid credentials'} Update in errata scope fails: E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/ldap-utils_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap2-dev_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/slapd_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap-2.4-2_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein (In reply to Daniel Tröder from comment #9) > Update in errata scope fails: > > E: Fehlschlag beim Holen von > http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/ldap-utils_2.4. > 42+dfsg-2.A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein > > E: Fehlschlag beim Holen von > http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap2-dev_2.4. > 42+dfsg-2.A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein > > E: Fehlschlag beim Holen von > http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/slapd_2.4.42+dfsg-2. > A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein > > E: Fehlschlag beim Holen von > http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap-2.4-2_2.4. > 42+dfsg-2.A~4.2.0.201707190950_amd64.deb Größe stimmt nicht überein Complain at Bug #45046! Fixed in version: 2.4.42+dfsg-2.A~4.2.0.201707201034 Ok, I created a user, modified userPassword to {KINIT} and devastated my krb5.conf. Then I attempt to ldapsearch. After a timeout the syslog shows:
=======================================================================
master10 slapd[2213]: OVER: rs->sr_err != LDAP_SUCCESS on "uid=user1,dc=ar41i1,dc=qa" ERR: 0x31
master10 slapd[2213]: conn=1006 op=0 RESULT tag=97 err=49 text=No authentication server is available.
=======================================================================
The first line is from translog, the second shows your error message text, so that's cool.
In the patch I see that you use
log_k5_rc("krb5_get_init_creds_password:", k5_rc, op);
as default, but not in the "known" error cases. I would suggest to generally to this.
r17634 | Bug #44912: always log kerberos error message * Code review: Ok * Functional test: Ok * Advisory: Ok |