Skip Menu |
 

Subject: Policy extensions in 1.11 break iprop dump compatibility
Download (untitled) / with headers
text/plain 1.1KiB
Ticket 7223 (commit 5829ca2b348974e52a67b553afc7f7491007c33a) extends
password policy objects to include allowed_keysalts and some other
fields we might use in the future. It adds a new r1_11_version dump
version, but simply edits the ipropx_version structure to use the new
policy functions.

As a result, with an updated slave and a new master, ipropx full
dumps fail, because the master generates dump files using the 1.8
policy format and the slave tries to interpret them using the 1.11
format. Compatibility in the other direction (new master, old slave)
is probably also broken; although the pre-1.11 process_r1_8_policy()
function claims to ignore additional values on the line, it does not
appear to do so.

By contrast, when the policy structure was extended in 1.8, a second
version of the iprop dump format was added, so no iprop compatibility
issue was created. The method by which this was done is a little
confusing (the new format has the tag "ipropx" with a sub-version,
when it seems that simply adding an "iprop2" tag would be just as
good).

Here is a report of the issue:

http://mailman.mit.edu/pipermail/kerberos/2015-June/020869.html
I believe we can retroactively add compatibility with pre-1.11 ipropx
dumps, by trying the 1.11 policy format and then the 1.8 format.

We can't retroactively add compatibility in the old-slave direction,
but compatibility in that direction is problematic anyway, as there is
no easy way to pass a per-slave flag to kdb5_util dump to generate an
old-format dump on the master. (With traditional kprop, the admin is
responsible for writing a cron job which generates the dump and invokes
kprop for each slave, and can generate older-format dumps for older
slaves in the job.)

Regardless of what we do, we need to document this issue where we talk
about upgrades.
From: ghudson@mit.edu
Subject: git commit

Fix compatibility with pre-1.11 iprop dump files

Ticket #7223 added new policy fields and a new dump format version to
marshal them, but did not add a new iprop dump format version. As a
result, slave KDCs running 1.11 or later cannot receive full resyncs
from master KDCs running 1.10 or earlier. (Reported by John
Devitofranceschi.)

Retroactively add support for pre-1.11 policy entries by making
process_r1_11_policy() read the first ten fields, check whether the
next whitespace character is a newline, and then read the rest if it
is not.

https://github.com/krb5/krb5/commit/3c9ab5220bcc3f57641f6f4b6942b17aadb6613d
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3c9ab5220bcc3f57641f6f4b6942b17aadb6613d
Branch: master
src/kadmin/dbutil/dump.c | 58 +++++++++++++++++++++++++++++++---------------
src/tests/t_dump.py | 12 +++++++--
2 files changed, 48 insertions(+), 22 deletions(-)