Missing krbPrincipalKey attributes cause segfaults in libkdb5 with LDAP backend

Bug #929827 reported by Jason B. Alonso
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
New
High
Unassigned

Bug Description

Running 11.10 (Oneiric). Additional specifications in tags. This appears to apply to libkdb5-5 version 1.9.1+dfsg-1ubuntu2.2.

I have copied a working LDAP-backed KDC configuration from a 64-bit EC2 instance into a 32-bit EC2 instance (the binaries are installed fresh). When I attempt to launch either the KDC or kadmin.local, the process terminates with a segfault. A kernel record in the syslog shows that there was a segfault in libkdb5.so.5.0 (for either process).

I have a sinking suspicion that there is a binary incompatibility in the stash file. I'd appreciate any advice on converting it if that is possible.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libkdb5-5 1.9.1+dfsg-1ubuntu2.2
ProcVersionSignature: Ubuntu 3.0.0-14.23-virtual 3.0.9
Uname: Linux 3.0.0-14-virtual i686
ApportVersion: 1.23-0ubuntu4
Architecture: i386
Date: Thu Feb 9 20:49:19 2012
Ec2AMI: ami-a500d0cc
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1d
Ec2InstanceType: m1.small
Ec2Kernel: aki-805ea7e9
Ec2Ramdisk: unavailable
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: krb5
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Jason B. Alonso (jalonso-hackorp) wrote :
Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 929827] [NEW] KDC (krb5-kdc-ldap) and kadmin.local segfault in libkdb5.so.5.0.

Old stash files are in fact byte order and probably but I'm not sure
word size dependent. Look at the add_mkey command to kdb5_util. I
think if you add a new master key and write it out to a new keytab
format stash file then all should be well.

If the database was created with 1.9.1 then I would not expect this
problem in the first place.

Revision history for this message
Jason B. Alonso (jalonso-hackorp) wrote : Re: [Bug 929827] [NEW] KDC (krb5-kdc-ldap) and kadmin.local segfault in libkdb5.so.5.0.

Thank you. It turns out I'm a bit of an idiot when I migrated my LDAP server.

In copying the directory, I managed to leave behind my krbPrincipalKey
values (I used replication, which didn't jive with my extremely
paranoid security settings for that attribute).

THAT said, this would have gone much more smoothly if the LDAP backend
gave a helpful error on a lack of krbPrincipalKey values instead of
letting libkdb5 segfault mysteriously.

Truth be told: I haven't *completely* verified that putting the values
back into place will make the problem go away, but I did confirm that
running the old KDC installation (out of a chroot on an amd64 VM)
against a new LDAP server segfaults while running it against the old
LDAP server (again out of the chroot) succeeds. I then ran a diff on
the trees, and found that krbPrincipalKey was missing.

Thanks,
Jason

On Fri, Feb 10, 2012 at 4:00 PM, Sam Hartman <email address hidden> wrote:
> Old stash files are in fact byte order and probably but I'm not sure
> word size dependent.  Look at the add_mkey command to kdb5_util.  I
> think if you add a new master key and write it out to a new keytab
> format stash file then all should be well.
>
> If the database was created with 1.9.1 then I would not expect this
> problem in the first place.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/929827
>
> Title:
>  KDC (krb5-kdc-ldap) and kadmin.local segfault in libkdb5.so.5.0.
>
> Status in “krb5” package in Ubuntu:
>  New
>
> Bug description:
>  Running 11.10 (Oneiric).  Additional specifications in tags.  This
>  appears to apply to libkdb5-5 version 1.9.1+dfsg-1ubuntu2.2.
>
>  I have copied a working LDAP-backed KDC configuration from a 64-bit
>  EC2 instance into a 32-bit EC2 instance (the binaries are installed
>  fresh).  When I attempt to launch either the KDC or kadmin.local, the
>  process terminates with a segfault.  A kernel record in the syslog
>  shows that there was a segfault in libkdb5.so.5.0 (for either
>  process).
>
>  I have a sinking suspicion that there is a binary incompatibility in
>  the stash file.  I'd appreciate any advice on converting it if that is
>  possible.
>
>  ProblemType: Bug
>  DistroRelease: Ubuntu 11.10
>  Package: libkdb5-5 1.9.1+dfsg-1ubuntu2.2
>  ProcVersionSignature: Ubuntu 3.0.0-14.23-virtual 3.0.9
>  Uname: Linux 3.0.0-14-virtual i686
>  ApportVersion: 1.23-0ubuntu4
>  Architecture: i386
>  Date: Thu Feb  9 20:49:19 2012
>  Ec2AMI: ami-a500d0cc
>  Ec2AMIManifest: (unknown)
>  Ec2AvailabilityZone: us-east-1d
>  Ec2InstanceType: m1.small
>  Ec2Kernel: aki-805ea7e9
>  Ec2Ramdisk: unavailable
>  ProcEnviron:
>   PATH=(custom, no user)
>   LANG=en_US.UTF-8
>   SHELL=/bin/bash
>  SourcePackage: krb5
>  UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/929827/+subscriptions

Changed in krb5 (Ubuntu):
importance: Undecided → High
summary: - KDC (krb5-kdc-ldap) and kadmin.local segfault in libkdb5.so.5.0.
+ Missing krbPrincipalKey attributes cause segfaults in libkdb5 with LDAP
+ backend
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.