Univention Bugzilla – Bug 46301
4.3 master, 4.2 backup with s4connector, connector on backup segfaults
Last modified: 2018-03-28 13:58:47 CEST
+++ This bug was initially created as a clone of Bug #46292 +++ During the update to 4.3 on the master, the ucs-sso user is created with these krb5 keys userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA= krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw== krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv this causes a segfault in the s4connector (python heimdal bindings) and s4search-decode -> univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode ...userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA= krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 23 # krb5_keytype: arcfour-hmac-md5 # krb5_keytype: arcfour-hmac-md5 (23) # keyblock: 1k8wegm/+pjNKG0JluZkzw== # as NThash: D64F307A09BFFA98CD286D0996E664CF # saltstring: FOUR.TWOucs-sso krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 3 # krb5_keytype: des-cbc-md5 # krb5_keytype: des-cbc-md5 (3) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 19 Speicherzugriffsfehler (Speicherabzug geschrieben) now a with skipping the broken keys -> univention-ldapsearch uid=ucs-sso| ldapsearch-wrapper | s4search-decode ... uid: ucs-sso sambaBadPasswordTime: 0 userPassword:: e2NyeXB0fSQ2JDl4NGdQbVFFeVA1ejFNODMkbmJPNHg0bjlJclhaajZmaUlXV1N1WHVUV21ZSXVYajRQNWtWV0swa1dGNUZibGZ5ZTZ5UklUOHI3V1I2R1Z2cWdjVFovcGxMOW5ZSUhZTmNCQkozSDA= krb5Key:: MDmhGzAZoAMCARehEgQQ1k8wegm/+pjNKG0JluZkz6IaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 23 # krb5_keytype: arcfour-hmac-md5 # krb5_keytype: arcfour-hmac-md5 (23) # keyblock: 1k8wegm/+pjNKG0JluZkzw== # as NThash: D64F307A09BFFA98CD286D0996E664CF # saltstring: FOUR.TWOucs-sso krb5Key:: MDGhEzARoAMCAQOhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 3 # krb5_keytype: des-cbc-md5 # krb5_keytype: des-cbc-md5 (3) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 19 SKIPPING krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw== # krb5_keytype: 16 # krb5_keytype: des3-cbc-sha1 # krb5_keytype: des3-cbc-sha1 (16) # keyblock: GQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHl # saltstring: FOUR.TWOucs-sso krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 20 SKIPPING krb5Key:: MDGhEzARoAMCAQGhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 1 # krb5_keytype: des-cbc-crc # krb5_keytype: des-cbc-crc (1) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MDmhGzAZoAMCARGhEgQQrPDps5hY83xPSTD+737lmaIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28= # krb5_keytype: 17 # krb5_keytype: aes128-cts-hmac-sha1-96 # krb5_keytype: aes128-cts-hmac-sha1-96 (17) # keyblock: rPDps5hY83xPSTD+737lmQ== # saltstring: FOUR.TWOucs-sso krb5Key:: MDGhEzARoAMCAQKhCgQIW4x1fCnqjEOiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 2 # krb5_keytype: des-cbc-md4 # krb5_keytype: des-cbc-md4 (2) # keyblock: W4x1fCnqjEM= # saltstring: FOUR.TWOucs-sso krb5Key:: MEmhKzApoAMCARKhIgQgyv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbWiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv # krb5_keytype: 18 # krb5_keytype: aes256-cts-hmac-sha1-96 # krb5_keytype: aes256-cts-hmac-sha1-96 (18) # keyblock: yv/c9bPmRnFzyBrDrfSi9+Ief0Zl+HKyl+KlahznvbU= # saltstring: FOUR.TWOucs-sso
Nothing to be done here? Should be fixed by Bug 36542. If anything, that bug could be backported, but that's not strictly necessary currently.
(In reply to Arvid Requate from comment #1) > Nothing to be done here? Should be fixed by Bug 36542. If anything, that bug > could be backported, but that's not strictly necessary currently. I would like to see the univention-s4-connector and univention-samba4 patches from Bug #46292 merged to 4.2-3. Just to make sure the connector does not segfault with "invalid" krb5keys. Yes, this is not necessary (as we fixed the enctypes in 4.3), but in the very unlikely situation that somebody fiddled around with e.g kerberos/defaults/enctypes/tgs it could happen, so in my opinion we should better make sure the connector can handle this
Created attachment 9394 [details] manually_filter_heimdal_enctypes.patch Ok, I understand, this is the patch from Bug #46292.
cherry picked commit from 4.3-0 to 4.2-3 univention-samba4 univention-s4-connector 66c6f53b2987ac5096048b4d78205d65f36739cc fixed bug number c1ac1932b8148cda924a168873b076ba843a8c8e yaml c7b78cfac5c9e2ade7708013be3b7681c52e28d1
Backport ok, Advisory too.
<http://errata.software-univention.de/ucs/4.2/314.html> <http://errata.software-univention.de/ucs/4.2/315.html>