Description of problem: When FreeIPA is configured with AD trust support, Kerberos tickets may also contain PAC which makes them bigger than usually expected (bigger than 2048 B)
... [11/19]: activating sidgen plugin and task [12/19]: activating extdom plugin [13/19]: configuring smbd to start on boot [14/19]: adding special DNS service records Unexpected error - see /var/log/ipaserver-install.log for details: NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-F19-AD-TEST.socket':
Redirecting to /bin/systemctl status dirsrv@F19-AD-TEST.service dirsrv@F19-AD-TEST.service - 389 Directory Server F19-AD-TEST. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Wed 2013-03-20 15:54:11 CET; 47min ago Main PID: 16664 (ns-slapd) CGroup: name=systemd:/system/dirsrv@.service/F19-AD-TEST └─16664 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-F19-AD-TEST -i /var/run/dirsrv/slap...
Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1 Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2 Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3 Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1 Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2 Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3 Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1 Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2 Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3 Mar 20 16:41:30 ipa.f19.ad.test ns-slapd[16664]: encoded packet size too big (3014 > 2048)
/var/log/dirsrv/slapd-F19-AD-TEST/errors: [20/Mar/2013:15:54:10 +0100] - slapd stopped. [20/Mar/2013:15:54:11 +0100] - 389-Directory/1.3.0.4 B2013.072.1657 starting up [20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=f19,dc=ad,dc=test [20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=f19,dc=ad,dc=test [20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=f19,dc=ad,dc=test [20/Mar/2013:15:54:11 +0100] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should be added before the CoS Definition. [20/Mar/2013:15:54:12 +0100] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should be added before the CoS Definition. [20/Mar/2013:15:54:12 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Mar/2013:15:54:12 +0100] - Listening on All Interfaces port 636 for LDAPS requests [20/Mar/2013:15:54:12 +0100] - Listening on /var/run/slapd-F19-AD-TEST.socket for LDAPI requests [20/Mar/2013:16:41:29 +0100] - sasl_io_recv failed to decode packet for connection 23
This section in the 389-ds-base source code looks to be blamed:
$ find -type f | xargs grep -C 5 maxbufsize ./ldap/servers/slapd/saslbind.c- prop_request(propctx, dn_propnames); ./ldap/servers/slapd/saslbind.c- } ./ldap/servers/slapd/saslbind.c- } ./ldap/servers/slapd/saslbind.c- ./ldap/servers/slapd/saslbind.c- / Enable security for this connection /
./ldap/servers/slapd/saslbind.c: secprops.maxbufsize = 2048; / DBDB: hack /
./ldap/servers/slapd/saslbind.c- secprops.max_ssf = 0xffffffff; ./ldap/servers/slapd/saslbind.c- secprops.min_ssf = config_get_minssf(); ./ldap/servers/slapd/saslbind.c- / If anonymous access is disabled, set the appropriate flag / ./ldap/servers/slapd/saslbind.c- if (config_get_anon_access_switch() != SLAPD_ANON_ACCESS_ON) { ./ldap/servers/slapd/saslbind.c- secprops.security_flags = SASL_SEC_NOANONYMOUS;
Version-Release number of selected component (if applicable): 389-ds-base-1.3.0.4-1.fc19.x86_64
How reproducible:
Steps to Reproduce: 1. Install freeipa-* packages 2. Run ipa-server-install 3. Run ipa-adtrust-install
Actual results: ipa-adtrust-install crashes due to issue described above.
Expected results: 389-ds-base accepts tickets with PAC and installer does not crash.
Additional info:
--- Additional comment from Martin Kosek on 2013-03-20 13:00:55 EDT ---
I just verified that by increasing this value, FreeIPA fixes too.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=923879 (''Fedora'')
We should raise our default SASL maxbufsize to 64k. We should also make it configurable.
attachment 0001-Ticket-632-389-ds-base-cannot-handle-Kerberos-ticket.patch
The fix looks good aside from one minor nitpick.
In slap.h, you added a comment that says "/ The max buffer size for sasl tickets /". This buffer is used by all SASL mechanisms that provide message integrity (signing) or privacy (encryption). It's not restricted to GSSAPI/Kerberos, so the concept of a ticket doesn't necessarily apply. Please change the comment to say something like "The max receive buffer size for SASL".
Providing an ACK, but please adjust the comment before you commit.
Replying to [comment:6 nkinder]:
The fix looks good aside from one minor nitpick. In slap.h, you added a comment that says "/ The max buffer size for sasl tickets /". This buffer is used by all SASL mechanisms that provide message integrity (signing) or privacy (encryption). It's not restricted to GSSAPI/Kerberos, so the concept of a ticket doesn't necessarily apply. Please change the comment to say something like "The max receive buffer size for SASL".
Yeah I didn't like the way I worded it either - changing the comment.
Thanks!
git merge ticket632 Updating e84c63f..ac6d8e5 Fast-forward ldap/schema/01core389.ldif | 1 + ldap/servers/slapd/libglobs.c | 46 ++++++++++++++++++++++++++++++++++++++- ldap/servers/slapd/proto-slap.h | 2 + ldap/servers/slapd/saslbind.c | 2 +- ldap/servers/slapd/slap.h | 2 + 5 files changed, 51 insertions(+), 2 deletions(-)
git push origin master Counting objects: 21, done. Delta compression using up to 4 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 1.74 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git e84c63f..ac6d8e5 master -> master
git push origin 389-ds-base-1.3.0 Counting objects: 21, done. Delta compression using up to 4 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 1.97 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git a378155..00463a1 389-ds-base-1.3.0 -> 389-ds-base-1.3.0
git push origin 389-ds-base-1.2.11 Counting objects: 21, done. Delta compression using up to 4 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 2.00 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 3d9bd35..6a2b0b1 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.20
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/632
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.