Skip Menu |
 

Date: Sun, 12 Apr 2015 19:21:41 -0400 (EDT)
From: Roland Mainz <rmainz@redhat.com>
To: krb5-bugs@mit.edu
Subject: [krb5bug] kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64 (big-endian issue ?) ...
CC: Greg Hudson <ghudson@mit.edu>
Download (untitled) / with headers
text/plain 2.8KiB

Hi!

----

This was discovered with test "t_kdb.py" that is new on krb5-1.12.x and I can imagine that it was not executed on big-endian architectures so far. But this is not a regression the same issue was observed on s390x and ppc64 on krb5-1.11.x and krb5-1.10.x.

Either run the test suite and the test "t_kdb.py" should fail (make sure openldap is installed) or manually create a test realm with LDAP database backend, then:
-- snip --
[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol
Ticket policy: tktpol
Maximum ticket life: 536870912 days 00:00:00
Maximum renewable life: 1073741824 days 00:00:00
Ticket flags:
-- snip --

It looks like the policy flags are correct in the database only they are not displayed (note the "krbTicketFlags" in the ldapsearch result below), so this is more less a cosmetic issue:
-- snip --
[root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#

dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 10800
krbMaxRenewableAge: 21600
krbTicketFlags: 2

search: 2
result: 0 Success

[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" modify_policy -maxtktlife 4hour -maxrenewlife 8hour +requires_preauth tktpol
[root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#

dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 14400
krbMaxRenewableAge: 28800
krbTicketFlags: 128

search: 2
result: 0 Success

[root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret"
view_policy tktpol
Ticket policy: tktpol
Maximum ticket life: 715827882 days 16:00:00
Maximum renewable life: 1431655765 days 08:00:00
Ticket flags:
-- snip --

Expected results:
Like on x86_64 and ppc64le:
-- snip --
# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
[root@rhel70 LDAP-backend]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w
"secret" view_policy tktpol
Ticket policy: tktpol
Maximum ticket life: 0 days 03:00:00
Maximum renewable life: 0 days 06:00:00
Ticket flags: DISALLOW_FORWARDABLE
-- snip --

----

Bye,
Roland

--
__ . . __
(o.\ \/ /.o) rmainz@redhat.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)

I think the problem is in krb5_ldap_read_policy() in ldap_tkt_policy.c,
where it makes three calls to krb5_ldap_get_value() and casts from long
* to int * for the return parameter. On a big-endian LP64 platform,
the 32-bit result gets written into the high 32 bits of the field.

There are some other unsafe uses of krb5_ldap_get_value() which cast
from int32_t * to int *, but those aren't likely to cause a practical
issue since there aren't any common platforms where int isn't 32 bits.
We should probably fix those when we fix the bug, though.

We do have a big-endian nightly build machine running Solaris, but it
doesn't test LDAP functionality for lack of dependencies. It will take
a bit to spin up an LDAP environment on that machine to test the fix
with.
If possible, please test the patch at https://github.com/krb5/krb5/pull/272 in the environment where the bug
manifests.
Subject: [krbdev.mit.edu #8166] [krb5bug] kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64 (big-endian issue ?) ...
From: Patrik Kis <pkis@redhat.com>
To: rt-comment@krbdev.mit.edu
Date: Tue, 14 Apr 2015 16:15:05 +0200
RT-Send-Cc:
Tested on ppc64 and s390x platforms and the patch fixes the issue.
Verified with krb5-1.13.1 and also backported to krb5-1.12.2, where it
fixed the issue too.
From: ghudson@mit.edu
Subject: git commit

Fix LDAP ticket policies on big-endian LP64

krb5_ldap_get_value() takes a pointer to int, and should not be passed
a pointer to any integral type which might have a different width.
Use an intermediate variable for each call.

The erroneous calls in ldap_misc.c were passing pointers to int32_t,
which is harmless on all common platforms. The calls in
ldap_tkt_policy.c were passing pointers to long; on big-endian LP64
platforms, the result would be written to the high 32 bits of the long
value.

https://github.com/krb5/krb5/commit/7fbc092107298bded216fbce4cff6592275bff03
Author: Greg Hudson <ghudson@mit.edu>
Commit: 7fbc092107298bded216fbce4cff6592275bff03
Branch: master
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 19 +++++++++----------
src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 16 ++++++++++------
2 files changed, 19 insertions(+), 16 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix LDAP ticket policies on big-endian LP64

krb5_ldap_get_value() takes a pointer to int, and should not be passed
a pointer to any integral type which might have a different width.
Use an intermediate variable for each call.

The erroneous calls in ldap_misc.c were passing pointers to int32_t,
which is harmless on all common platforms. The calls in
ldap_tkt_policy.c were passing pointers to long; on big-endian LP64
platforms, the result would be written to the high 32 bits of the long
value.

(cherry picked from commit 7fbc092107298bded216fbce4cff6592275bff03)

https://github.com/krb5/krb5/commit/50913c7372c5c13a1270d6823f914e07ce0563ba
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 50913c7372c5c13a1270d6823f914e07ce0563ba
Branch: krb5-1.13
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 19 +++++++++----------
src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 16 ++++++++++------
2 files changed, 19 insertions(+), 16 deletions(-)