Date: | Sun, 12 Apr 2015 19:21:41 -0400 (EDT) |
From: | Roland Mainz <rmainz@redhat.com> |
To: | krb5-bugs@mit.edu |
Subject: | [krb5bug] kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64 (big-endian issue ?) ... |
CC: | Greg Hudson <ghudson@mit.edu> |
Hi!
----
This was discovered with test "t_kdb.py" that is new on krb5-1.12.x and I can imagine that it was not executed on big-endian architectures so far. But this is not a regression the same issue was observed on s390x and ppc64 on krb5-1.11.x and krb5-1.10.x.
Either run the test suite and the test "t_kdb.py" should fail (make sure openldap is installed) or manually create a test realm with LDAP database backend, then:
-- snip --
[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol
Ticket policy: tktpol
Maximum ticket life: 536870912 days 00:00:00
Maximum renewable life: 1073741824 days 00:00:00
Ticket flags:
-- snip --
It looks like the policy flags are correct in the database only they are not displayed (note the "krbTicketFlags" in the ldapsearch result below), so this is more less a cosmetic issue:
-- snip --
[root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#
dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 10800
krbMaxRenewableAge: 21600
krbTicketFlags: 2
search: 2
result: 0 Success
[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" modify_policy -maxtktlife 4hour -maxrenewlife 8hour +requires_preauth tktpol
[root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#
dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 14400
krbMaxRenewableAge: 28800
krbTicketFlags: 128
search: 2
result: 0 Success
[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret"
view_policy tktpol
Ticket policy: tktpol
Maximum ticket life: 715827882 days 16:00:00
Maximum renewable life: 1431655765 days 08:00:00
Ticket flags:
-- snip --
Expected results:
Like on x86_64 and ppc64le:
-- snip --
# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
[root@rhel70 LDAP-backend]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w
"secret" view_policy tktpol
Ticket policy: tktpol
Maximum ticket life: 0 days 03:00:00
Maximum renewable life: 0 days 06:00:00
Ticket flags: DISALLOW_FORWARDABLE
-- snip --
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) rmainz@redhat.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)