Skip Menu |
 

History Show all quoted textShow full headers
# Tue Nov 18 12:58:36 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Ticket created
Date: Tue, 18 Nov 2014 15:14:47 +0100
Subject: Kadmind/kadmin.local issues after migration from version 1.12.2 to 1.13
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: krb5-bugs@mit.edu
Download (untitled) / with headers
text/plain 889B
Download (untitled) / with headers
text/html 1016B

..I have attempted to migrate the K5 binaries from 1.12.22 to 1.13 (both
builds were done on Centos 6.6/x86_64). While the KDC is working correctly
and I can authenticate, the "kadmind" daemon is failing to start. It is
simply hanging and eating 100% of CPU.

As well, when it is invoked, "kadmin.local" goes into the same 100% CPU
loop at the very start, with a message "Authenticating as principal
root/admin@.. with password" and does not return the prompt. [Whereas I
can manually authenticate with "kinit root/admin" without any problem].

If I roll back to 1.12.2, everything works again like a charm..

The binaries were built with the vanilla 1.13 source. All the conf and
db files were left untouched. Stracing does provide no clue. KDC log
contains no errors. Kadmind log is empty.

Had anyone observed anything similar migrating to 1.13?

Thanks ahead for any comment - Andrei.

# Tue Nov 18 16:01:29 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Status changed from 'new' to 'open'
# Tue Nov 18 16:01:29 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
Download (untitled) / with headers
text/plain 1.2KiB
[andrei.maslennikov@gmail.com - Tue Nov 18 12:58:36 2014]:

Show quoted text
> ..I have attempted to migrate the K5 binaries from 1.12.22 to 1.13 (both
> builds were done on Centos 6.6/x86_64). While the KDC is working correctly
> and I can authenticate, the "kadmind" daemon is failing to start. It is
> simply hanging and eating 100% of CPU.
>
> As well, when it is invoked, "kadmin.local" goes into the same 100% CPU
> loop at the very start, with a message "Authenticating as principal
> root/admin@.. with password" and does not return the prompt. [Whereas I
> can manually authenticate with "kinit root/admin" without any problem].
>
> If I roll back to 1.12.2, everything works again like a charm..
>
> The binaries were built with the vanilla 1.13 source. All the conf and
> db files were left untouched. Stracing does provide no clue. KDC log
> contains no errors. Kadmind log is empty.
>
> Had anyone observed anything similar migrating to 1.13?

I do not think we have heard of similar issues from other people migrating to 1.13.

The strace log (or even potentially an ltrace log) may be more informative for us than it was for
you; are you interested in providing some sample output (proably use -s 0 to avoid revealing
secret data)?
# Wed Nov 19 04:09:48 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Comments added
Date: Wed, 19 Nov 2014 10:09:47 +0100
Subject: Re: [krbdev.mit.edu #8038] Kadmind/kadmin.local issues after migration from version 1.12.2 to 1.13
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
Download (untitled) / with headers
text/html 2.3KiB

Hello Benjamin, and many hanks for looking into this!

Please grab this tar.gz file containing the strace and ltrace logs for kadmin.local,
both for working 1.12.2 and hanging 1.13, both binary builds for 1.12.2 and 1.13,
kdc.conf and krb5.conf:

                 http://192.107.82.220/k5/k5.debug.tgz

Please let me know if you might need anything else.

Best regards - Andrei.
 




On Tue, Nov 18, 2014 at 10:01 PM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
[andrei.maslennikov@gmail.com - Tue Nov 18 12:58:36 2014]:

> ..I have attempted to migrate the K5 binaries from 1.12.22 to 1.13 (both
> builds were done on Centos 6.6/x86_64). While the KDC is working correctly
> and I can authenticate, the "kadmind" daemon is failing to start. It is
> simply hanging and eating 100% of CPU.
>
> As well, when it is invoked, "kadmin.local" goes into the same 100% CPU
> loop at the very start, with a message "Authenticating as principal
> root/admin@.. with password" and does not return the prompt. [Whereas I
> can manually authenticate with "kinit root/admin" without any problem].
>
> If I roll back to 1.12.2, everything works again like a charm..
>
> The binaries were built with the vanilla 1.13 source. All the conf and
> db files were left untouched. Stracing does provide no clue. KDC log
> contains no errors. Kadmind log is empty.
>
> Had anyone observed anything similar migrating to 1.13?

I do not think we have heard of similar issues from other people migrating to 1.13.

The strace log (or even potentially an ltrace log) may be more informative for us than it was for
you; are you interested in providing some sample output (proably use -s 0 to avoid revealing
secret data)?

# Wed Nov 19 04:09:49 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Correspondence added
Date: Wed, 19 Nov 2014 10:09:47 +0100
Subject: Re: [krbdev.mit.edu #8038] Kadmind/kadmin.local issues after migration from version 1.12.2 to 1.13
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
Download (untitled) / with headers
text/html 2.3KiB

Hello Benjamin, and many hanks for looking into this!

Please grab this tar.gz file containing the strace and ltrace logs for kadmin.local,
both for working 1.12.2 and hanging 1.13, both binary builds for 1.12.2 and 1.13,
kdc.conf and krb5.conf:

                 http://192.107.82.220/k5/k5.debug.tgz

Please let me know if you might need anything else.

Best regards - Andrei.
 




On Tue, Nov 18, 2014 at 10:01 PM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
[andrei.maslennikov@gmail.com - Tue Nov 18 12:58:36 2014]:

> ..I have attempted to migrate the K5 binaries from 1.12.22 to 1.13 (both
> builds were done on Centos 6.6/x86_64). While the KDC is working correctly
> and I can authenticate, the "kadmind" daemon is failing to start. It is
> simply hanging and eating 100% of CPU.
>
> As well, when it is invoked, "kadmin.local" goes into the same 100% CPU
> loop at the very start, with a message "Authenticating as principal
> root/admin@.. with password" and does not return the prompt. [Whereas I
> can manually authenticate with "kinit root/admin" without any problem].
>
> If I roll back to 1.12.2, everything works again like a charm..
>
> The binaries were built with the vanilla 1.13 source. All the conf and
> db files were left untouched. Stracing does provide no clue. KDC log
> contains no errors. Kadmind log is empty.
>
> Had anyone observed anything similar migrating to 1.13?

I do not think we have heard of similar issues from other people migrating to 1.13.

The strace log (or even potentially an ltrace log) may be more informative for us than it was for
you; are you interested in providing some sample output (proably use -s 0 to avoid revealing
secret data)?

# Wed Nov 19 21:12:43 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
Download (untitled) / with headers
text/plain 588B
[andrei.maslennikov@gmail.com - Wed Nov 19 04:09:49 2014]:

Show quoted text
> Hello Benjamin, and many hanks for looking into this!
>
> Please grab this tar.gz file containing the strace and ltrace logs for
> kadmin.local,
> both for working 1.12.2 and hanging 1.13, both binary builds for 1.12.2 and
> 1.13,
> kdc.conf and krb5.conf:

Many thanks for the very comprehensive listing.

Do you by any chance have something like a password quality module or some other out-of-tree
plugin module installed?

I think the next step may be to attach gdb to the spinning/hung kadmin.local and get a
backtrace.
# Thu Nov 20 04:04:03 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Comments added
Date: Thu, 20 Nov 2014 10:04:02 +0100
Subject: Re: [krbdev.mit.edu #8038] Kadmind/kadmin.local issues after migration from version 1.12.2 to 1.13
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 8.1KiB
Download (untitled) / with headers
text/html 10.1KiB


Hello, it seems we are getting closer to the origin of the loop!


This is what happens with the looping kadmin.local:

------------------------------------------------------------
[root@sys cli]# pwd
/sys.1/Trash/K5/krb5-1.13/src/kadmin/cli

[root@sys cli]# ls
deps       getdate.y     kadmin.c      kadmin_ct.o   kadmin.o        keytab_local.o  Makefile.in   strftime.c
getdate.c  k5srvutil.sh  kadmin_ct.c   kadmin.h      keytab.c        keytab.o        ss_wrapper.c
getdate.o  kadmin        kadmin_ct.ct  kadmin.local  keytab_local.c  Makefile        ss_wrapper.o

root@sys cli]# ./kadmin.local
Authenticating as principal root/admin@MASL.EU with password.
<entered the loop>
-------------------------------------------------------------

In another window:

[root@sys cli]# pwd
/sys.1/Trash/K5/krb5-1.13/src/kadmin/cli

[root@sys cli]# ps -ef | grep kadmin.local | grep -v grep
root     29736     1 36 09:24 pts/2    00:00:07 /sys.1/Trash/K5/krb5-1.13/src/kadmin/cli/kadmin.local
root     29738 29775 99 09:24 pts/3    00:00:03 ./kadmin.local

[root@sys cli]# gdb kadmin.local
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-75.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /sys.1/Trash/K5/krb5-1.13/src/kadmin/cli/kadmin.local...done.
(gdb) attach 29736
Attaching to program: /sys.1/Trash/K5/krb5-1.13/src/kadmin/cli/kadmin.local, process 29736
Reading symbols from /usr/lib64/libedit.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libedit.so.0
Reading symbols from /lib64/libncurses.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib64/libncurses.so.5
Reading symbols from /usr/k5.vanilla/lib/libkadm5srv_mit.so.9...done.
Loaded symbols for /usr/k5.vanilla/lib/libkadm5srv_mit.so.9
Reading symbols from /usr/k5.vanilla/lib/libkdb5.so.8...done.
Loaded symbols for /usr/k5.vanilla/lib/libkdb5.so.8
Reading symbols from /usr/k5.vanilla/lib/libgssrpc.so.4...done.
Loaded symbols for /usr/k5.vanilla/lib/libgssrpc.so.4
Reading symbols from /usr/k5.vanilla/lib/libgssapi_krb5.so.2...done.
Loaded symbols for /usr/k5.vanilla/lib/libgssapi_krb5.so.2
Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /usr/k5.vanilla/lib/libkrb5.so.3...done.
Loaded symbols for /usr/k5.vanilla/lib/libkrb5.so.3
Reading symbols from /usr/k5.vanilla/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/k5.vanilla/lib/libk5crypto.so.3
Reading symbols from /usr/k5.vanilla/lib/libcom_err.so.3...done.
Loaded symbols for /usr/k5.vanilla/lib/libcom_err.so.3
Reading symbols from /usr/k5.vanilla/lib/libkrb5support.so.0...done.
Loaded symbols for /usr/k5.vanilla/lib/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/libtinfo.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib64/libtinfo.so.5
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x0000003063b2cb98 in __strcasecmp_l_sse42 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64 libedit-2.11-4.20080712cvs.1.el6.x86_64 ncurses-libs-5.7-3.20090208.el6.x86_64
(gdb)


With a little more luck, in another run:
...
Loaded symbols for /lib64/libtinfo.so.5
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
krb5_string_to_enctype (string=0x12aa7e2 "arcfour-hmac", enctypep=0x7fff089274f8) at enctype_util.c:77
77      enctype_util.c: No such file or directory.
        in enctype_util.c
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64 libedit-2.11-4.20080712cvs.1.el6.x86_64 ncurses-libs-5.7-3.20090208.el6.x86_64
(gdb) quit

I.e. it looks like kadmin.local goes mad while comparing strings or looking for encryption type "arcfour-hmac".

At this point, I looked againd at the kdc.conf.


I had:

[realms]
 MASL.EU = {
 master_key_type = aes256-cts-hmac-sha1-96
 database_name = /var/k5/krb5kdc/principal
 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal rc4-hmac:normal rc4-hmac-exp:normal des-cbc-crc:v4 des-cbc-crc:afs3 arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm arcfour-hmac-md5:normal des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal
 max_life = 30d
 default_principal_flags = +preauth
 }

Then I removed these enctypes:

"arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm arcfour-hmac-md5:normal"

At this point - no more loops!!! kadmin.local worked ok.

Thus the issue is turning around "arcfour-hmac". My current list of encryption types includes this
family, and I have to keep them there as the principals already possess the corresponding keys:


[root@sys krb5kdc]# /usr/k5.vanilla/sbin/kadmin.local
Authenticating as principal root/admin@MASL.EU with password.
kadmin.local:  getprinc testus
Principal: testus@MASL.EU
Expiration date: [never]
Last password change: Mon Dec 30 22:53:38 CET 2013
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Dec 30 22:53:38 CET 2013 (root/admin@MASL.EU)
Last successful authentication: Wed Nov 19 08:55:21 CET 2014
Last failed authentication: Thu Oct 02 12:41:56 CEST 2014
Failed password attempts: 0
Number of keys: 10
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, arcfour-hmac
Key: vno 1, des-cbc-crc:v4
Key: vno 1, des-cbc-crc:afs3
Key: vno 1, arcfour-hmac:norealm
Key: vno 1, arcfour-hmac:onlyrealm
Key: vno 1, des3-cbc-sha1
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

To conclude:

- the working kadmin version 1.12.2 has no problems with the quoted kdc.conf

- the new kadmin version 1.13 goes mad about certain encryption types and
you should be able to easily reproduce this behaviour in your own test environment
by adding these enctypes to your kdc.conf:

"arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm arcfour-hmac-md5:normal"

(If I recall it correctly, "arcfour-hmac" is used on Windows clients, and we have some
Win machines that get the authentication from K5MIT and not from AD).

What could be done about it?

Cheers - Andrei.

PS I have mentioned that the Builds directory of my yesterday's tar file was
in fact containing two times 1.12.2 builds and not 1.12.2 and 1.13. I have
hence replaced the tar.file with the one correcting the correct Builds subdir,
sorry for this mistake. You may again grab it at:

       http://afsita.masl.eu/k5/k5.debug.tgz







 




































On Thu, Nov 20, 2014 at 3:12 AM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
[andrei.maslennikov@gmail.com - Wed Nov 19 04:09:49 2014]:

> Hello Benjamin, and many hanks for looking into this!
>
> Please grab this tar.gz file containing the strace and ltrace logs for
> kadmin.local,
> both for working 1.12.2 and hanging 1.13, both binary builds for 1.12.2 and
> 1.13,
> kdc.conf and krb5.conf:

Many thanks for the very comprehensive listing.

Do you by any chance have something like a password quality module or some other out-of-tree
plugin module installed?

I think the next step may be to attach gdb to the spinning/hung kadmin.local and get a
backtrace.

# Thu Nov 20 04:04:03 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Correspondence added
Date: Thu, 20 Nov 2014 10:04:02 +0100
Subject: Re: [krbdev.mit.edu #8038] Kadmind/kadmin.local issues after migration from version 1.12.2 to 1.13
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 8.1KiB
Download (untitled) / with headers
text/html 10.1KiB


Hello, it seems we are getting closer to the origin of the loop!


This is what happens with the looping kadmin.local:

------------------------------------------------------------
[root@sys cli]# pwd
/sys.1/Trash/K5/krb5-1.13/src/kadmin/cli

[root@sys cli]# ls
deps       getdate.y     kadmin.c      kadmin_ct.o   kadmin.o        keytab_local.o  Makefile.in   strftime.c
getdate.c  k5srvutil.sh  kadmin_ct.c   kadmin.h      keytab.c        keytab.o        ss_wrapper.c
getdate.o  kadmin        kadmin_ct.ct  kadmin.local  keytab_local.c  Makefile        ss_wrapper.o

root@sys cli]# ./kadmin.local
Authenticating as principal root/admin@MASL.EU with password.
<entered the loop>
-------------------------------------------------------------

In another window:

[root@sys cli]# pwd
/sys.1/Trash/K5/krb5-1.13/src/kadmin/cli

[root@sys cli]# ps -ef | grep kadmin.local | grep -v grep
root     29736     1 36 09:24 pts/2    00:00:07 /sys.1/Trash/K5/krb5-1.13/src/kadmin/cli/kadmin.local
root     29738 29775 99 09:24 pts/3    00:00:03 ./kadmin.local

[root@sys cli]# gdb kadmin.local
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-75.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /sys.1/Trash/K5/krb5-1.13/src/kadmin/cli/kadmin.local...done.
(gdb) attach 29736
Attaching to program: /sys.1/Trash/K5/krb5-1.13/src/kadmin/cli/kadmin.local, process 29736
Reading symbols from /usr/lib64/libedit.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libedit.so.0
Reading symbols from /lib64/libncurses.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib64/libncurses.so.5
Reading symbols from /usr/k5.vanilla/lib/libkadm5srv_mit.so.9...done.
Loaded symbols for /usr/k5.vanilla/lib/libkadm5srv_mit.so.9
Reading symbols from /usr/k5.vanilla/lib/libkdb5.so.8...done.
Loaded symbols for /usr/k5.vanilla/lib/libkdb5.so.8
Reading symbols from /usr/k5.vanilla/lib/libgssrpc.so.4...done.
Loaded symbols for /usr/k5.vanilla/lib/libgssrpc.so.4
Reading symbols from /usr/k5.vanilla/lib/libgssapi_krb5.so.2...done.
Loaded symbols for /usr/k5.vanilla/lib/libgssapi_krb5.so.2
Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /usr/k5.vanilla/lib/libkrb5.so.3...done.
Loaded symbols for /usr/k5.vanilla/lib/libkrb5.so.3
Reading symbols from /usr/k5.vanilla/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/k5.vanilla/lib/libk5crypto.so.3
Reading symbols from /usr/k5.vanilla/lib/libcom_err.so.3...done.
Loaded symbols for /usr/k5.vanilla/lib/libcom_err.so.3
Reading symbols from /usr/k5.vanilla/lib/libkrb5support.so.0...done.
Loaded symbols for /usr/k5.vanilla/lib/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/libtinfo.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib64/libtinfo.so.5
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x0000003063b2cb98 in __strcasecmp_l_sse42 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64 libedit-2.11-4.20080712cvs.1.el6.x86_64 ncurses-libs-5.7-3.20090208.el6.x86_64
(gdb)


With a little more luck, in another run:
...
Loaded symbols for /lib64/libtinfo.so.5
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
krb5_string_to_enctype (string=0x12aa7e2 "arcfour-hmac", enctypep=0x7fff089274f8) at enctype_util.c:77
77      enctype_util.c: No such file or directory.
        in enctype_util.c
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64 libedit-2.11-4.20080712cvs.1.el6.x86_64 ncurses-libs-5.7-3.20090208.el6.x86_64
(gdb) quit

I.e. it looks like kadmin.local goes mad while comparing strings or looking for encryption type "arcfour-hmac".

At this point, I looked againd at the kdc.conf.


I had:

[realms]
 MASL.EU = {
 master_key_type = aes256-cts-hmac-sha1-96
 database_name = /var/k5/krb5kdc/principal
 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal rc4-hmac:normal rc4-hmac-exp:normal des-cbc-crc:v4 des-cbc-crc:afs3 arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm arcfour-hmac-md5:normal des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal
 max_life = 30d
 default_principal_flags = +preauth
 }

Then I removed these enctypes:

"arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm arcfour-hmac-md5:normal"

At this point - no more loops!!! kadmin.local worked ok.

Thus the issue is turning around "arcfour-hmac". My current list of encryption types includes this
family, and I have to keep them there as the principals already possess the corresponding keys:


[root@sys krb5kdc]# /usr/k5.vanilla/sbin/kadmin.local
Authenticating as principal root/admin@MASL.EU with password.
kadmin.local:  getprinc testus
Principal: testus@MASL.EU
Expiration date: [never]
Last password change: Mon Dec 30 22:53:38 CET 2013
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Dec 30 22:53:38 CET 2013 (root/admin@MASL.EU)
Last successful authentication: Wed Nov 19 08:55:21 CET 2014
Last failed authentication: Thu Oct 02 12:41:56 CEST 2014
Failed password attempts: 0
Number of keys: 10
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, arcfour-hmac
Key: vno 1, des-cbc-crc:v4
Key: vno 1, des-cbc-crc:afs3
Key: vno 1, arcfour-hmac:norealm
Key: vno 1, arcfour-hmac:onlyrealm
Key: vno 1, des3-cbc-sha1
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

To conclude:

- the working kadmin version 1.12.2 has no problems with the quoted kdc.conf

- the new kadmin version 1.13 goes mad about certain encryption types and
you should be able to easily reproduce this behaviour in your own test environment
by adding these enctypes to your kdc.conf:

"arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm arcfour-hmac-md5:normal"

(If I recall it correctly, "arcfour-hmac" is used on Windows clients, and we have some
Win machines that get the authentication from K5MIT and not from AD).

What could be done about it?

Cheers - Andrei.

PS I have mentioned that the Builds directory of my yesterday's tar file was
in fact containing two times 1.12.2 builds and not 1.12.2 and 1.13. I have
hence replaced the tar.file with the one correcting the correct Builds subdir,
sorry for this mistake. You may again grab it at:

       http://afsita.masl.eu/k5/k5.debug.tgz







 




































On Thu, Nov 20, 2014 at 3:12 AM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
[andrei.maslennikov@gmail.com - Wed Nov 19 04:09:49 2014]:

> Hello Benjamin, and many hanks for looking into this!
>
> Please grab this tar.gz file containing the strace and ltrace logs for
> kadmin.local,
> both for working 1.12.2 and hanging 1.13, both binary builds for 1.12.2 and
> 1.13,
> kdc.conf and krb5.conf:

Many thanks for the very comprehensive listing.

Do you by any chance have something like a password quality module or some other out-of-tree
plugin module installed?

I think the next step may be to attach gdb to the spinning/hung kadmin.local and get a
backtrace.

# Thu Nov 20 11:10:45 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
Download (untitled) / with headers
text/plain 2.6KiB
[andrei.maslennikov@gmail.com - Thu Nov 20 04:04:03 2014]:

Show quoted text
> Hello, it seems we are getting closer to the origin of the loop!

Yes, indeed.

Show quoted text
> I.e. it looks like kadmin.local goes mad while comparing strings or looking
> for encryption type "arcfour-hmac".

We did change some code relating to how the keysalt list is processed, so that's likely the culprit
here.

Show quoted text
> Thus the issue is turning around "arcfour-hmac". My current list of
> encryption types includes this
> family, and I have to keep them there as the principals already possess the
> corresponding keys:

This is not actually true; the "supported_enctypes" variable is rather misnamed -- it controls the
generation of new keys on the KDC (e.g., from user-supplied passwords) by specifying which
enctypes will be generated, but has no effect on the operation of existing keys. (There is a
separate variable, "permitted_enctypes", which does have that effect.)

Show quoted text
> "arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm
> arcfour-hmac-md5:normal"

The arcfour family of enctypes do not actually use a salt, ever, so there is no difference between
the :normal, :norealm, and :onlyrealm forms. I am not yet sure if this duplication is causing the
spinning, but it is certainly unnecessary in your configuration.

Show quoted text
> (If I recall it correctly, "arcfour-hmac" is used on Windows clients, and
> we have some
> Win machines that get the authentication from K5MIT and not from AD).

Windows XP and Windows Server 2003 only support the arcfour and single-DES encryption types.
Newer versions of windows also support the more modern AES encryption types (though perhaps
Windows Server 2008 would need some manual configuration to start using them; this is not
entirely clear to me). If your windows clients are, e.g., Windows 7 and above, they can handle
AES enctypes just fine. You will probably need to go and rekey some things to make a full
transition, but the mere presence of such windows clients does not require you to keep arcfour
around. The arcfour enctypes are likely to be deprecated in the next year or two.

Show quoted text
> What could be done about it?

I will fire up a test KDC with the problematic supported_enctypes list and look into a fix.

Show quoted text
> Cheers - Andrei.
>
> PS I have mentioned that the Builds directory of my yesterday's tar file was
> in fact containing two times 1.12.2 builds and not 1.12.2 and 1.13. I have
> hence replaced the tar.file with the one correcting the correct Builds
> subdir,
> sorry for this mistake. You may again grab it at:
>
> http://afsita.masl.eu/k5/k5.debug.tgz

Thanks, but I think just the bit about supported_enctypes will be enough for now.

Thanks for following up on this issue.

-Ben
# Thu Nov 20 11:42:03 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Comments added
Date: Thu, 20 Nov 2014 17:42:02 +0100
Subject: Re: [krbdev.mit.edu #8038] Kadmind/kadmin.local issues after migration from version 1.12.2 to 1.13
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.9KiB
Download (untitled) / with headers
text/html 3.7KiB
Hi Ben, thanks a lot!

Will be waiting for further input from you.

Cheers - Andrei.

On Thu, Nov 20, 2014 at 5:10 PM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
[andrei.maslennikov@gmail.com - Thu Nov 20 04:04:03 2014]:

> Hello, it seems we are getting closer to the origin of the loop!

Yes, indeed.

> I.e. it looks like kadmin.local goes mad while comparing strings or looking
> for encryption type "arcfour-hmac".

We did change some code relating to how the keysalt list is processed, so that's likely the culprit
here.

> Thus the issue is turning around "arcfour-hmac". My current list of
> encryption types includes this
> family, and I have to keep them there as the principals already possess the
> corresponding keys:

This is not actually true; the "supported_enctypes" variable is rather misnamed -- it controls the
generation of new keys on the KDC (e.g., from user-supplied passwords) by specifying which
enctypes will be generated, but has no effect on the operation of existing keys.  (There is a
separate variable, "permitted_enctypes", which does have that effect.)

> "arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm
> arcfour-hmac-md5:normal"

The arcfour family of enctypes do not actually use a salt, ever, so there is no difference between
the :normal, :norealm, and :onlyrealm forms.  I am not yet sure if this duplication is causing the
spinning, but it is certainly unnecessary in your configuration.

> (If I recall it correctly, "arcfour-hmac" is used on Windows clients, and
> we have some
> Win machines that get the authentication from K5MIT and not from AD).

Windows XP and Windows Server 2003 only support the arcfour and single-DES encryption types.
Newer versions of windows also support the more modern AES encryption types (though perhaps
Windows Server 2008 would need some manual configuration to start using them; this is not
entirely clear to me).  If your windows clients are, e.g., Windows 7 and above, they can handle
AES enctypes just fine.  You will probably need to go and rekey some things to make a full
transition, but the mere presence of such windows clients does not require you to keep arcfour
around.  The arcfour enctypes are likely to be deprecated in the next year or two.

> What could be done about it?

I will fire up a test KDC with the problematic supported_enctypes list and look into a fix.

> Cheers - Andrei.
>
> PS I have mentioned that the Builds directory of my yesterday's tar file was
> in fact containing two times 1.12.2 builds and not 1.12.2 and 1.13. I have
> hence replaced the tar.file with the one correcting the correct Builds
> subdir,
> sorry for this mistake. You may again grab it at:
>
>        http://afsita.masl.eu/k5/k5.debug.tgz

Thanks, but I think just the bit about supported_enctypes will be enough for now.

Thanks for following up on this issue.

-Ben

# Thu Nov 20 11:42:03 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Correspondence added
Date: Thu, 20 Nov 2014 17:42:02 +0100
Subject: Re: [krbdev.mit.edu #8038] Kadmind/kadmin.local issues after migration from version 1.12.2 to 1.13
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.9KiB
Download (untitled) / with headers
text/html 3.7KiB
Hi Ben, thanks a lot!

Will be waiting for further input from you.

Cheers - Andrei.

On Thu, Nov 20, 2014 at 5:10 PM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
[andrei.maslennikov@gmail.com - Thu Nov 20 04:04:03 2014]:

> Hello, it seems we are getting closer to the origin of the loop!

Yes, indeed.

> I.e. it looks like kadmin.local goes mad while comparing strings or looking
> for encryption type "arcfour-hmac".

We did change some code relating to how the keysalt list is processed, so that's likely the culprit
here.

> Thus the issue is turning around "arcfour-hmac". My current list of
> encryption types includes this
> family, and I have to keep them there as the principals already possess the
> corresponding keys:

This is not actually true; the "supported_enctypes" variable is rather misnamed -- it controls the
generation of new keys on the KDC (e.g., from user-supplied passwords) by specifying which
enctypes will be generated, but has no effect on the operation of existing keys.  (There is a
separate variable, "permitted_enctypes", which does have that effect.)

> "arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm
> arcfour-hmac-md5:normal"

The arcfour family of enctypes do not actually use a salt, ever, so there is no difference between
the :normal, :norealm, and :onlyrealm forms.  I am not yet sure if this duplication is causing the
spinning, but it is certainly unnecessary in your configuration.

> (If I recall it correctly, "arcfour-hmac" is used on Windows clients, and
> we have some
> Win machines that get the authentication from K5MIT and not from AD).

Windows XP and Windows Server 2003 only support the arcfour and single-DES encryption types.
Newer versions of windows also support the more modern AES encryption types (though perhaps
Windows Server 2008 would need some manual configuration to start using them; this is not
entirely clear to me).  If your windows clients are, e.g., Windows 7 and above, they can handle
AES enctypes just fine.  You will probably need to go and rekey some things to make a full
transition, but the mere presence of such windows clients does not require you to keep arcfour
around.  The arcfour enctypes are likely to be deprecated in the next year or two.

> What could be done about it?

I will fire up a test KDC with the problematic supported_enctypes list and look into a fix.

> Cheers - Andrei.
>
> PS I have mentioned that the Builds directory of my yesterday's tar file was
> in fact containing two times 1.12.2 builds and not 1.12.2 and 1.13. I have
> hence replaced the tar.file with the one correcting the correct Builds
> subdir,
> sorry for this mistake. You may again grab it at:
>
>        http://afsita.masl.eu/k5/k5.debug.tgz

Thanks, but I think just the bit about supported_enctypes will be enough for now.

Thanks for following up on this issue.

-Ben

# Fri Nov 21 16:09:53 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Given to kaduk@MIT.EDU (Benjamin Kaduk)
# Fri Nov 21 16:09:53 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Target_Version 1.13.1 added
# Fri Nov 21 16:09:53 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Status changed from 'open' to 'review'
# Fri Nov 21 16:09:53 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Tags pullup added
# Fri Nov 21 16:09:53 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
From: kaduk@MIT.EDU
Subject: git commit
Download (untitled) / with headers
text/plain 646B

Avoid infinite loop on duplicate keysalts

When duplicate suppression was requested, we would enter an
infinite loop upon encountering a duplicate entry, a bug
introduced in commit 0918990bf1d8560d74473fc0e41d08d433da1a15
and thus present in release 1.13.

Rework the conditional to avoid the loop, at the expense of
additional indentation for some of the code.

https://github.com/krb5/krb5/commit/c828e7cb137de3559f026dcc552a52162d9ca5cd
Author: Ben Kaduk <kaduk@mit.edu>
Commit: c828e7cb137de3559f026dcc552a52162d9ca5cd
Branch: master
src/lib/kadm5/str_conv.c | 21 ++++++++++-----------
1 files changed, 10 insertions(+), 11 deletions(-)
# Fri Nov 21 17:00:17 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Comments added
Date: Fri, 21 Nov 2014 23:00:16 +0100
Subject: Re: [krbdev.mit.edu #8038] git commit
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 999B
Download (untitled) / with headers
text/html 1.5KiB
Great, many thanks Ben!

Will be grabbing it on Monday.

Best regards - Andrei.

PS I have tried to subscribe to "kerberos" and "krb5-bugs" lists via mailman,
but got no reply. Do you know if these lists are still alive?



On Fri, Nov 21, 2014 at 10:09 PM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text

Avoid infinite loop on duplicate keysalts

When duplicate suppression was requested, we would enter an
infinite loop upon encountering a duplicate entry, a bug
introduced in commit 0918990bf1d8560d74473fc0e41d08d433da1a15
and thus present in release 1.13.

Rework the conditional to avoid the loop, at the expense of
additional indentation for some of the code.

https://github.com/krb5/krb5/commit/c828e7cb137de3559f026dcc552a52162d9ca5cd
Author: Ben Kaduk <kaduk@mit.edu>
Commit: c828e7cb137de3559f026dcc552a52162d9ca5cd
Branch: master
 src/lib/kadm5/str_conv.c |   21 ++++++++++-----------
 1 files changed, 10 insertions(+), 11 deletions(-)


# Fri Nov 21 17:00:17 2014 Andrei Maslennikov <andrei.maslennikov@gmail.com> - Correspondence added
Date: Fri, 21 Nov 2014 23:00:16 +0100
Subject: Re: [krbdev.mit.edu #8038] git commit
From: Andrei Maslennikov <andrei.maslennikov@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 999B
Download (untitled) / with headers
text/html 1.5KiB
Great, many thanks Ben!

Will be grabbing it on Monday.

Best regards - Andrei.

PS I have tried to subscribe to "kerberos" and "krb5-bugs" lists via mailman,
but got no reply. Do you know if these lists are still alive?



On Fri, Nov 21, 2014 at 10:09 PM, Benjamin Kaduk via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text

Avoid infinite loop on duplicate keysalts

When duplicate suppression was requested, we would enter an
infinite loop upon encountering a duplicate entry, a bug
introduced in commit 0918990bf1d8560d74473fc0e41d08d433da1a15
and thus present in release 1.13.

Rework the conditional to avoid the loop, at the expense of
additional indentation for some of the code.

https://github.com/krb5/krb5/commit/c828e7cb137de3559f026dcc552a52162d9ca5cd
Author: Ben Kaduk <kaduk@mit.edu>
Commit: c828e7cb137de3559f026dcc552a52162d9ca5cd
Branch: master
 src/lib/kadm5/str_conv.c |   21 ++++++++++-----------
 1 files changed, 10 insertions(+), 11 deletions(-)


# Fri Nov 21 18:45:10 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
Download (untitled) / with headers
text/plain 710B
[andrei.maslennikov@gmail.com - Fri Nov 21 17:00:17 2014]:
Show quoted text
>
> PS I have tried to subscribe to "kerberos" and "krb5-bugs" lists via
> mailman,
> but got no reply. Do you know if these lists are still alive?

They are still active, yes.
You are visiting http://mailman.mit.edu/mailman/listinfo/kerberos and
http://mailman.mit.edu/mailman/listinfo/krb5-bugs ? (Note that the latter is basically just
automated traffic.)

The normal workflow is to use the webform to file a subscription request, which sends a
confirmation email with a confirmation code. There's a link in that mail which can be used to
confirm the subscription request, or one can just reply to the email leaving the subject intact.

-Ben
# Tue Dec 16 14:25:55 2014 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'
# Tue Dec 16 14:25:55 2014 tlyu (Taylor Yu) - Version_Fixed 1.13.1 added
# Tue Dec 16 14:25:55 2014 tlyu (Taylor Yu) - Correspondence added
From: tlyu@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 752B

Avoid infinite loop on duplicate keysalts

When duplicate suppression was requested, we would enter an
infinite loop upon encountering a duplicate entry, a bug
introduced in commit 0918990bf1d8560d74473fc0e41d08d433da1a15
and thus present in release 1.13.

Rework the conditional to avoid the loop, at the expense of
additional indentation for some of the code.

(cherry picked from commit c828e7cb137de3559f026dcc552a52162d9ca5cd)

https://github.com/krb5/krb5/commit/d1a1b7c83ac568cbfec230bbdb3a9506ea27d1ca
Author: Ben Kaduk <kaduk@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: d1a1b7c83ac568cbfec230bbdb3a9506ea27d1ca
Branch: krb5-1.13
src/lib/kadm5/str_conv.c | 21 ++++++++++-----------
1 files changed, 10 insertions(+), 11 deletions(-)
# Wed Dec 16 18:03:03 2015 tlyu (Taylor Yu) - CustomField pullup deleted