#632 389-ds-base cannot handle Kerberos tickets with PAC
Closed: wontfix None Opened 11 years ago by nkinder.

Description of problem:
When FreeIPA is configured with AD trust support, Kerberos tickets may also
contain PAC which makes them bigger than usually expected (bigger than 2048 B)

  • 389-ds-base SASL layer does not accept that.

ipa-adtrust-install

...
[11/19]: activating sidgen plugin and task
[12/19]: activating extdom plugin
[13/19]: configuring smbd to start on boot
[14/19]: adding special DNS service records
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to
'ldapi://%2fvar%2frun%2fslapd-F19-AD-TEST.socket':

service dirsrv@F19-AD-TEST status

Redirecting to /bin/systemctl status dirsrv@F19-AD-TEST.service
dirsrv@F19-AD-TEST.service - 389 Directory Server F19-AD-TEST.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
Active: active (running) since Wed 2013-03-20 15:54:11 CET; 47min ago
Main PID: 16664 (ns-slapd)
CGroup: name=systemd:/system/dirsrv@.service/F19-AD-TEST
└─16664 /usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-F19-AD-TEST -i /var/run/dirsrv/slap...

Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:07:23 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:41:26 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 1
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 2
Mar 20 16:41:29 ipa.f19.ad.test ns-slapd[16664]: GSSAPI server step 3
Mar 20 16:41:30 ipa.f19.ad.test ns-slapd[16664]: encoded packet size too big
(3014 > 2048)

/var/log/dirsrv/slapd-F19-AD-TEST/errors:
[20/Mar/2013:15:54:10 +0100] - slapd stopped.
[20/Mar/2013:15:54:11 +0100] - 389-Directory/1.3.0.4 B2013.072.1657 starting up
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up
under cn=ng, cn=compat,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] schema-compat-plugin - warning: no entries set up
under ou=sudoers,dc=f19,dc=ad,dc=test
[20/Mar/2013:15:54:11 +0100] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should
be added before the CoS Definition.
[20/Mar/2013:15:54:12 +0100] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=f19,dc=ad,dc=test--no CoS Templates found, which should
be added before the CoS Definition.
[20/Mar/2013:15:54:12 +0100] - slapd started. Listening on All Interfaces port
389 for LDAP requests
[20/Mar/2013:15:54:12 +0100] - Listening on All Interfaces port 636 for LDAPS
requests
[20/Mar/2013:15:54:12 +0100] - Listening on /var/run/slapd-F19-AD-TEST.socket
for LDAPI requests
[20/Mar/2013:16:41:29 +0100] - sasl_io_recv failed to decode packet for
connection 23

This section in the 389-ds-base source code looks to be blamed:

$ find -type f | xargs grep -C 5 maxbufsize
./ldap/servers/slapd/saslbind.c- prop_request(propctx,
dn_propnames);
./ldap/servers/slapd/saslbind.c- }
./ldap/servers/slapd/saslbind.c- }
./ldap/servers/slapd/saslbind.c-
./ldap/servers/slapd/saslbind.c- / Enable security for this connection /

./ldap/servers/slapd/saslbind.c: secprops.maxbufsize = 2048; / DBDB: hack
/

./ldap/servers/slapd/saslbind.c- secprops.max_ssf = 0xffffffff;
./ldap/servers/slapd/saslbind.c- secprops.min_ssf = config_get_minssf();
./ldap/servers/slapd/saslbind.c- / If anonymous access is disabled, set the
appropriate flag
/
./ldap/servers/slapd/saslbind.c- if (config_get_anon_access_switch() !=
SLAPD_ANON_ACCESS_ON) {
./ldap/servers/slapd/saslbind.c- secprops.security_flags =
SASL_SEC_NOANONYMOUS;

Version-Release number of selected component (if applicable):
389-ds-base-1.3.0.4-1.fc19.x86_64

How reproducible:

Steps to Reproduce:
1. Install freeipa-* packages
2. Run ipa-server-install
3. Run ipa-adtrust-install

Actual results:
ipa-adtrust-install crashes due to issue described above.

Expected results:
389-ds-base accepts tickets with PAC and installer does not crash.

Additional info:

--- Additional comment from Martin Kosek on 2013-03-20 13:00:55 EDT ---

I just verified that by increasing this value, FreeIPA fixes too.


We should raise our default SASL maxbufsize to 64k. We should also make it configurable.

The fix looks good aside from one minor nitpick.

In slap.h, you added a comment that says "/ The max buffer size for sasl tickets /". This buffer is used by all SASL mechanisms that provide message integrity (signing) or privacy (encryption). It's not restricted to GSSAPI/Kerberos, so the concept of a ticket doesn't necessarily apply. Please change the comment to say something like "The max receive buffer size for SASL".

Providing an ACK, but please adjust the comment before you commit.

Replying to [comment:6 nkinder]:

The fix looks good aside from one minor nitpick.

In slap.h, you added a comment that says "/ The max buffer size for sasl tickets /". This buffer is used by all SASL mechanisms that provide message integrity (signing) or privacy (encryption). It's not restricted to GSSAPI/Kerberos, so the concept of a ticket doesn't necessarily apply. Please change the comment to say something like "The max receive buffer size for SASL".

Yeah I didn't like the way I worded it either - changing the comment.

Thanks!

Providing an ACK, but please adjust the comment before you commit.

git merge ticket632
Updating e84c63f..ac6d8e5
Fast-forward
ldap/schema/01core389.ldif | 1 +
ldap/servers/slapd/libglobs.c | 46 ++++++++++++++++++++++++++++++++++++++-
ldap/servers/slapd/proto-slap.h | 2 +
ldap/servers/slapd/saslbind.c | 2 +-
ldap/servers/slapd/slap.h | 2 +
5 files changed, 51 insertions(+), 2 deletions(-)

git push origin master
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 1.74 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
e84c63f..ac6d8e5 master -> master

git push origin 389-ds-base-1.3.0
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 1.97 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
a378155..00463a1 389-ds-base-1.3.0 -> 389-ds-base-1.3.0

git push origin 389-ds-base-1.2.11
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.00 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
3d9bd35..6a2b0b1 389-ds-base-1.2.11 -> 389-ds-base-1.2.11

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.2.11.20

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/632

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata