Univention Bugzilla – Full Text Bug Listing |
Summary: | 4.3 master, 4.2 backup with s4connector, connector on backup segfaults | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | UDM (Generic) | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | best, requate |
Version: | UCS 4.3 | Keywords: | interim-3 |
Target Milestone: | UCS 4.3 | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=36542 | ||
What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 46298, 46301 | ||
Attachments: |
manually_filter_permitted_enctypes.patch
univention-s4-connector.patch univention-samba4.patch |
Description
Felix Botner
2018-02-15 12:48:39 CET
permitted enc types in 4.3 >>> import heimdal >>> c = heimdal.context() >>> c.get_permitted_enctypes() [aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, aes128-cts-hmac-sha256-128, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc] 4.2 > c.get_permitted_enctypes() [aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc] so aes256-cts-hmac-sha384-192, aes128-cts-hmac-sha256-128 are new in 4.3 Ok, I guess we need to skip generating the new added types aes256-cts-hmac-sha384-192 (20) and aes128-cts-hmac-sha256-128 (19) in users/user krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: aes128-cts-hmac-sha256-128 # krb5_keytype: aes128-cts-hmac-sha256-128 (19) # keyblock: giyNOyk+ySwO1IMVuZRHRg== # saltstring: FOUR.TWOucs-sso krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw== # krb5_keytype: des3-cbc-sha1 # krb5_keytype: des3-cbc-sha1 (16) # keyblock: GQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHl # saltstring: FOUR.TWOucs-sso krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: aes256-cts-hmac-sha384-192 # krb5_keytype: aes256-cts-hmac-sha384-192 (20) Also, users/user (or rather python-heimdal) should respect the "permitted_enctypes" setting specified in /etc/krb5.conf. Felix also rightly suggests to restrict univention-python-heimdal to only tread the types it actually supports and to skip others. We may want to backport that also to UCS 4.2-3. (1) we have set the default enc types in 4.3 to those permitted in 4.2, see defaults in conffiles/etc/krb5.conf (In reply to Arvid Requate from comment #4) > Also, users/user (or rather python-heimdal) should respect the > "permitted_enctypes" setting specified in /etc/krb5.conf. > > Felix also rightly suggests to restrict univention-python-heimdal to only > tread the types it actually supports and to skip others. We may want to > backport that also to UCS 4.2-3. (2) yes we should fix (a) univention-python-heimdal.enctype.c enctype_string() to not segfault for unknown enctypes (b) and maybe univention-s4-connector/modules/univention/s4connector/s4/password.py calculate_supplementalCredentials and univention-samba4/s4search-decode decode_krb5Key to ignore unknown enctypes --- /usr/sbin/s4search-decode.o 2018-02-15 14:20:06.445811000 +0100 +++ /usr/sbin/s4search-decode 2018-02-15 14:18:29.929811000 +0100 @@ -48,6 +48,7 @@ from datetime import datetime context = None +permitted_enctypes = [] keytypes = { 1: 'des_crc', @@ -74,10 +75,20 @@ def decode_krb5Key(value): + global context + global permitted_enctypes + if not context: + context = heimdal.context() + if not permitted_enctypes: + for enc in context.get_permitted_enctypes(): + permitted_enctypes.append(enc.toint()) k = binascii.a2b_base64(value) (keyblock, salt, kvno) = heimdal.asn1_decode_key(k) enctype = keyblock.keytype() enctype_id = enctype.toint() + if enctype_id not in permitted_enctypes: + print "# SKIPPING ENC type %s, not support by heimdal" % enctype_id + return print "#\tkrb5_keytype: %s (%d)" % (enctype, enctype_id) key_data = keyblock.keyvalue() print "#\tkeyblock: ", binascii.b2a_base64(key_data).strip() (2) should also be backported to 4.2-3 Created attachment 9391 [details] manually_filter_permitted_enctypes.patch Ok, Heimdal 7.1 has additional keys in "default_etypes", and it doesn't sonsidter the "permitted_enctypes" option in krb5.conf. So I created the attached patch to filter the enctypes manually. When I was ready with that I discovered that the options * permitted_enctypes * default_tgs_enctypes * default_tkt_enctypes are actually MIT Kerberos options and marked as such in the Heimdal krb5.conf parser. That's Bug 36542. I now fixed it by adjusting the UCR template to use the corresponding Heimdal options. For compatibility reasons I've kept the MIT specific options too. I would like patch univention-samba4 and univention-s4-connector to ignore krb5keys with unsupported enctypes (see patches). We should also backport this to 4.2-3. Created attachment 9392 [details]
univention-s4-connector.patch
Created attachment 9393 [details]
univention-samba4.patch
Adjusted with commit e554b41680, packages rebuilt. FAIL - changelog OK - univention-samba4 univention-ldapsearch uid=test1| ldapsearch-wrapper | s4search-decode ... krb5Key:: MDShGzAZoAMCAROhEgQQuuM6vxGbZy9NcK1bnwQREKIVMBOgAwIBA6EMBApGQi5CRnRlc3Qx # SKIPPING ENC type 19, not support by this Heimdal version krb5Key:: MEShKzApoAMCARShIgQgPrt3cs3IlfJI8Zkxn+1wDsiIx1MlPi3g+RzbC77OhYuiFTAToAMCAQOhDAQKRkIuQkZ0ZXN0MQ== # SKIPPING ENC type 20, not support by this Heimdal version ... OK - univention-s4-connector 16.02.2018 11:09:45,606 LDAP (PROCESS): sync from ucs: [ user] [ add] cn=test2,DC=four,DC=two 16.02.2018 11:09:45,659 LDAP (WARNING): calculate_supplementalCredentials: ignoring enctype '19', not supported by heimdal 16.02.2018 11:09:45,659 LDAP (WARNING): calculate_supplementalCredentials: ignoring enctype '20', not supported by heimdal 16.02.2018 11:09:45,719 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=test2,DC=four,DC=two 16.02.2018 11:09:45,747 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=test2,DC=four,DC=two > FAIL - changelog Sigh, it's a regression that occurred during development of UCS 4.3. I've added the bug number to the existing entry for Bug 36542. (In reply to Arvid Requate from comment #13) > > FAIL - changelog > > Sigh, it's a regression that occurred during development of UCS 4.3. I've > added the bug number to the existing entry for Bug 36542. yes, your are right, that should be enough UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug". |