Bug 44912 – Add error message to pwd_scheme_kinit overlay module

Bug 44912 - Add error message to pwd_scheme_kinit overlay module


Summary:	Add error message to pwd_scheme_kinit overlay module

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-1-errata
Assigned To:	Florian Best
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:	44382 45438
	Show dependency tree / graph

Reported:	2017-06-30 14:34 CEST by Florian Best
Modified:	2017-09-22 14:06 CEST (History)
CC List:	3 users (show)

See Also:	45046
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Error handling, Troubleshooting, Usability
Max CVSS v3 score:

Attachments
fill_sr_text.scratch (1.48 KB, patch) 2017-07-10 20:57 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2017-06-30 14:34:09 CEST

The overlay module pwd_scheme_kinit (Bug #35092) doesn't report meaningful error messages:
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}

This happens very often in UCS-in-Active Directory environments with an unknown reason (e.g. in our Jenkins tests and Bug #44382).

We should add a 'info' attribute to the error which contains the reason which we get from "kinit". There might me messages like "clock skewed".

Additionally there is a printf() in the code, which should be removed.

Comment 1 Florian Best

2017-06-30 14:35:08 CEST

"15_pwd_scheme_kinit.patch" needs to be adjusted in patches/openldap/....

Comment 2 Florian Best

2017-07-06 16:04:39 CEST

Talked with Howard Chu. It's not possible with this boolean-only library.
Maybe instead we can at least log something to syslog?

Comment 3 Florian Best

2017-07-06 16:25:34 CEST

(In reply to Florian Best from comment #2)
> Talked with Howard Chu. It's not possible with this boolean-only library.
> Maybe instead we can at least log something to syslog?
It's a security concern that password modules don't give valuable information to attackers.

When calling LUTIL_PASSWD_CHK_FUNC (in our case: kinit_chk()) we can pass a 4th argument (const char **text) containing a message which is displayed to the end user. But the constant needs to be set before we know any credentials. So this is not usable for us. Or can we hack this and pass something we can modify instead?

Comment 4 Arvid Requate

2017-07-10 20:57:13 CEST

Created attachment 9009 [details]
fill_sr_text.scratch

From the source code I see mdb_bind calling slap_passwd_check with
&(SlapReply *rs)->sr_text as the (const char **text) argument.

So kinit_chk should be able to assign a string to *text, similar to lutil_passwd_hash. See attached scratch.

That SlapReply structure finally gets send via send_ldap_result.

Comment 5 Arvid Requate

2017-07-10 20:58:29 CEST

Beware: no clue if KRB5KRB_AP_ERR_SKEW actually is a valid return code to check here.

Comment 6 Florian Best

2017-07-18 15:26:25 CEST

Thank you very much for this (new knowledge) :-)

I adapted the messages in the patch a little bit.
Using the error code KRB5KRB_AP_ERR_SKEW works.

r17625 | Bug #44912: add more specific error message to pwd_scheme_kinit overlay

openldap.yaml:
r81221 | YAML Bug #44912

Comment 7 Florian Best

2017-07-18 15:36:05 CEST

Should we expose the kerberos status code if it's an unknown error?:
Something like:
if (text) sprintf(text, "Unknown kerberos error %d during authentication.", k5_rc);

Comment 8 Florian Best

2017-07-19 10:43:32 CEST

On my system also the kerberos error "-1765328373 KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is negative or too short" occurred.
I added another error message for this: "The requested effective lifetime is negative or too short."

r17629 | Bug #44912: also handle KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is negative or too short

The results are already visible in the AD member tests:

http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-1/job/ADMemberMultiEnv/4/Mode=module,Version=w2k12-german-other-join-user/testReport/71_udm-settings/30_create_ldap_schema/test/

ldap.INVALID_CREDENTIALS: {'info': 'Unknown kerberos error during authentication.', 'desc': 'Invalid credentials'}

Comment 9 Daniel Tröder

2017-07-20 08:18:05 CEST

Update in errata scope fails:

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/ldap-utils_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap2-dev_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/slapd_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

E: Fehlschlag beim Holen von http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap-2.4-2_2.4.42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

Comment 10 Florian Best

2017-07-20 10:14:41 CEST

(In reply to Daniel Tröder from comment #9)
> Update in errata scope fails:
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/ldap-utils_2.4.
> 42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap2-dev_2.4.
> 42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/slapd_2.4.42+dfsg-2.
> A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein
> 
> E: Fehlschlag beim Holen von
> http://192.168.0.10/build2/ucs_4.2-0-errata4.2-1/amd64/libldap-2.4-2_2.4.
> 42+dfsg-2.A~4.2.0.201707190950_amd64.deb  Größe stimmt nicht überein

Complain at Bug #45046!

Comment 11 Florian Best

2017-07-20 11:13:51 CEST

Fixed in version: 2.4.42+dfsg-2.A~4.2.0.201707201034

Comment 12 Arvid Requate

2017-07-25 19:17:45 CEST

Ok, I created a user, modified userPassword to {KINIT} and devastated my krb5.conf. Then I attempt to ldapsearch. After a timeout the syslog shows:

=======================================================================
master10 slapd[2213]: OVER: rs->sr_err != LDAP_SUCCESS on "uid=user1,dc=ar41i1,dc=qa" ERR: 0x31
master10 slapd[2213]: conn=1006 op=0 RESULT tag=97 err=49 text=No authentication server is available.
=======================================================================

The first line is from translog, the second shows your error message text, so that's cool.

In the patch I see that you use

  log_k5_rc("krb5_get_init_creds_password:", k5_rc, op);

as default, but not in the "known" error cases. I would suggest to generally to this.

Comment 13 Florian Best

2017-07-26 11:43:50 CEST

r17634 | Bug #44912: always log kerberos error message

Comment 14 Arvid Requate

2017-07-26 12:55:42 CEST

* Code review: Ok
* Functional test: Ok
* Advisory: Ok

Comment 15 Erik Damrose

2017-07-26 14:39:38 CEST

<http://errata.software-univention.de/ucs/4.2/100.html>