Bug 46301

Summary:	4.3 master, 4.2 backup with s4connector, connector on backup segfaults
Product:	UCS	Reporter:	Felix Botner <botner>
Component:	UDM (Generic)	Assignee:	Felix Botner <botner>
Status:	CLOSED FIXED	QA Contact:	Arvid Requate <requate>
Severity:	normal
Priority:	P5	CC:	requate
Version:	UCS 4.3
Target Milestone:	UCS 4.2-3-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	Development Internal	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:
Bug Depends on:	46292
Bug Blocks:	46298
Attachments:	manually_filter_heimdal_enctypes.patch

Description Felix Botner

2018-02-16 11:33:10 CET

+++ This bug was initially created as a clone of Bug #46292 +++

During the update to 4.3 on the master, the ucs-sso user is created with these krb5 keys

userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA=
krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw==
krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv

this causes a segfault in the s4connector (python heimdal bindings) and s4search-decode


->  univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode 
...userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA=
krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 23
#	krb5_keytype: arcfour-hmac-md5
#	krb5_keytype: arcfour-hmac-md5 (23)
#	keyblock:  1k8wegm/+pjNKG0JluZkzw==
#	as NThash: D64F307A09BFFA98CD286D0996E664CF
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 3
#	krb5_keytype: des-cbc-md5
#	krb5_keytype: des-cbc-md5 (3)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 19
Speicherzugriffsfehler (Speicherabzug geschrieben)


now a with skipping the broken keys

-> univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode 
...
uid: ucs-sso
sambaBadPasswordTime: 0
userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA=
krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 23
#	krb5_keytype: arcfour-hmac-md5
#	krb5_keytype: arcfour-hmac-md5 (23)
#	keyblock:  1k8wegm/+pjNKG0JluZkzw==
#	as NThash: D64F307A09BFFA98CD286D0996E664CF
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 3
#	krb5_keytype: des-cbc-md5
#	krb5_keytype: des-cbc-md5 (3)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 19
SKIPPING
krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw==
#	krb5_keytype: 16
#	krb5_keytype: des3-cbc-sha1
#	krb5_keytype: des3-cbc-sha1 (16)
#	keyblock:  GQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHl
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 20
SKIPPING
krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 1
#	krb5_keytype: des-cbc-crc
#	krb5_keytype: des-cbc-crc (1)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: 17
#	krb5_keytype: aes128-cts-hmac-sha1-96
#	krb5_keytype: aes128-cts-hmac-sha1-96 (17)
#	keyblock:  rPDps5hY83xPSTD+737lmQ==
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 2
#	krb5_keytype: des-cbc-md4
#	krb5_keytype: des-cbc-md4 (2)
#	keyblock:  W4x1fCnqjEM=
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: 18
#	krb5_keytype: aes256-cts-hmac-sha1-96
#	krb5_keytype: aes256-cts-hmac-sha1-96 (18)
#	keyblock:  yv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbU=
#	saltstring:  FOUR.TWOucs-sso

Comment 1 Arvid Requate

2018-02-16 12:24:30 CET

Nothing to be done here? Should be fixed by Bug 36542. If anything, that bug could be backported, but that's not strictly necessary currently.

Comment 2 Felix Botner

2018-02-16 12:50:41 CET

(In reply to Arvid Requate from comment #1)
> Nothing to be done here? Should be fixed by Bug 36542. If anything, that bug
> could be backported, but that's not strictly necessary currently.

I would like to see the univention-s4-connector and univention-samba4 patches from Bug #46292 merged to 4.2-3. Just to make sure the connector does not segfault with "invalid" krb5keys.

Yes, this is not necessary (as we fixed the enctypes  in 4.3), but in the very unlikely situation that somebody fiddled around with e.g kerberos/defaults/enctypes/tgs it could happen, so in my opinion we should better make sure the connector can handle this

Comment 3 Arvid Requate

2018-02-16 13:16:29 CET

Created attachment 9394 [details]
manually_filter_heimdal_enctypes.patch

Ok, I understand, this is the patch from Bug #46292.

Comment 4 Felix Botner

2018-03-19 18:33:55 CET

cherry picked commit from 4.3-0 to 4.2-3

univention-samba4 univention-s4-connector
66c6f53b2987ac5096048b4d78205d65f36739cc

fixed bug number
c1ac1932b8148cda924a168873b076ba843a8c8e

yaml
c7b78cfac5c9e2ade7708013be3b7681c52e28d1

Comment 5 Arvid Requate

2018-03-27 19:09:29 CEST

Backport ok, Advisory too.

Comment 6 Arvid Requate

2018-03-28 13:58:47 CEST

<http://errata.software-univention.de/ucs/4.2/314.html>
<http://errata.software-univention.de/ucs/4.2/315.html>