[SRU]slapd gssapi failure - apparmor profile doesn't support kerberos gssapi

I've just had a similar problem. It's caused by a conflict with AppArmor's slapd policy (in /etc/apparmor.d/usr.sbin.slapd).
I switched apparmor's policy to complain mode with aa-complain and it fixed the problem.

Ryan, could you post the text of AppArmor's complaint ?

AppArmor provided several complaints:

Jun 16 12:30:43 lionel kernel: [ 6122.925033] audit(1213633843.473:17): type=1503 operation="inode_permission" requested_mask="::a" denied_mask="::a" name="/dev/tty" pid=5259 profile="/usr/sbin/slapd" namespace="default"
Jun 16 12:30:43 lionel kernel: [ 6122.927321] audit(1213633843.473:18): type=1503 operation="file_lock" requested_mask="k::" denied_mask="k::" name="/etc/ldap/keytab.ldap" pid=5259 profile="/usr/sbin/slapd" namespace="default"

To fix the top two, I added
  /dev/tty rw,
  /etc/ldap/keytab.ldap kr,
to AppArmor's slapd profile.

Upon restart of AppArmor and slapd, I tried to connect again, and it failed with this log message:

Jun 16 12:38:17 lionel kernel: [ 6577.144098] audit(1213634297.983:19): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/tmp/ldap_111" pid=5339 profile="/usr/sbin/slapd" namespace="default"

From there, I added
  /var/tmp/ r,
  /var/tmp/* rw,
to the slapd profile.

Restarting AppArmor and slapd again, connecting to the server with gssapi works fine and presents no errors.

Attached debdiff was tested and verified to work against a krb5 KDC and kerberized slapd. The profile allows 'kr' access to /etc/krb5.keytab as well as all of /etc/ldap/** (so users can put their keytabs in there).

Attached debdiff also fixes bug #243525

Attached debdiff is (perhaps obviously) for Hardy SRU.

This bug was fixed in the package openldap - 2.4.10-3ubuntu1

---------------
openldap (2.4.10-3ubuntu1) intrepid; urgency=low

  [ Mathias Gug ]
  * Merge from debian unstable, remaining changes:
    - debian/apparmor-profile: add AppArmor profile
    - debian/slapd.postinst: Reload AA profile on configuration
    - updated debian/slapd.README.Debian for note on AppArmor
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
      to make sure that if earlier version of apparmour-profiles gets
      installed it won't overwrite our profile.
    - Modify Maintainer value to match the DebianMaintainerField
      speficication.
    - follow ApparmorProfileMigration and force apparmor compalin mode on
      some upgrades (LP: #203529)
    - debian/slapd.dirs: add etc/apparmor.d/force-complain
    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
      non-enforcing) and upgrades where apparmor profile does not exist.
    - debian/slapd.postrm: remove symlink in force-complain/ on purge
    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
      the ucred struct now.
    - debian/patches/fix-unique-overlay-assertion.patch:
      Fix another assertion error in unique overlay (LP: #243337).
      Backport from head.
  * Dropped - implemented in Debian:
    - debian/patches/fix-gnutls-key-strength.patch:
      Fix slapd handling of ssf using gnutls. (LP: #244925).
    - debian/control:
      Add time as build dependency: needed by make test.
  * debian/control:
    - Build-depend on libltdl7-dev rather then libltdl3-dev.
  * debian/patches/autogen.sh:
    - Call libtoolize with the --install option to install config.{guess,sub}
    files.

  [ Jamie Strandboge ]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

openldap (2.4.10-3) unstable; urgency=low

  [ Steve Langasek ]
  * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
    vulnerability in the BER decoder. Addresses CVE-2008-2952,
    closes: #488710.
  * debian/slapd.scripts-common, debian/slapd.postinst: drop
    update_path_argsfile_pidfile function, not needed for updates from etch
    or newer.
  * Drop the code to check for and upgrade ldbm databases. The etch
    release of slapd had already dropped support for them and direct
    upgrades from sarge are not supported.

  [ Russ Allbery ]
  * Apply upstream patch to convert GnuTLS cipher strength from bytes to
    bits, as expected by OpenLDAP. (Closes: #473796)
  * Add Build-Depends on time, used by the test suite and only a shell
    built-in with bash. Thanks, Daniel Schepler. (Closes: #490754)
  * Refresh all patches, convert all patches to -p1, and remove extraneous
    Index: lines. (Closes: #485263)
  * Unless DFSG_NONFREE is set, also check whether the upstream schemas
    with RFC comments are included.
  * Update standards version to 3.8.0.
    - Include debian/README.source pointing to the quilt README.source.
    - Wrap Uploaders for ...

Hello,

I don't mean to reopen this bug after it's (apparently) been fixed.

I was trying to setup a combined LDAP/Kerberos system today, and ran into this exact problem. I'm running the latest version of Hardy with all updates. After I applied the fixes to the AppArmor profile suggested by Ryan, everything worked.

My major question is (and perhaps this is due to a major misunderstanding on my part): why was this fix applied to the openldap package, when the server itself is in slapd? Indeed, I could not find this patch in the latest slapd package.

Thanks in advance,
Nick

openldap is the name of the source package in the development release, and the slapd profile has been fixed in that release. We will also apply for a StableReleaseUpdate for Ubuntu 8.04 LTS.

Due to apparmor changes kerberos authentication is not available in hardy. This patch fixes it:

Steps to Reproduce:

1. Install openldap2.3
2. Install a kerberos authentication environment
3. Try to authenticate.

NOTE: This test should be done with someone who already has this setup.

I have attached the debdiff that fixes this issue.

chuck

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Is there any schedule for including openldap-2.4.10-3ubuntu1 into hardy? I would like to test that the patch does actually works.

I've tried to install the binary package and compile the source one, but both fail due to missing dependencies (libltdl7) or versions.

On Thu, Aug 07, 2008 at 04:39:29PM -0000, javierpb wrote:
> Is there any schedule for including openldap-2.4.10-3ubuntu1 into hardy?
> I would like to test that the patch does actually works.

The version for hardy is 2.4.9-0ubuntu0.8.04.2, which is currently in
hardy-proposed. You can test it by enabling the hardy-proposed pocket in
your "Software Sources" administration dialog.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

I've finally performed the test, and I can confirm that the package in hardy-proposed solves this bug, and GSSAPI authentication to a OpenLDAP server works without problems.

I applied the fix from hardy-proposed, restarted slapd and apparmor, and I am no longer getting errors from apparmor in /var/log/messages. Accessing slapd using GSSAPI doesn't work, however, because slapd doesn't seem to honor my KRB5_KTNAME variable. I had this working in gutsy, but since upgrade to hardy I can't use GSSAPI. Trying to connect gives the following slapd output:

SASL [conn=1] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)

I have a keytab file /etc/ldap/slapd.keytab (owned by openldap:openldap, mode 600), and I have KRB5_KTNAME=/etc/ldap/slapd.keytab. This is set in /etc/default/slapd when slapd is started automatically, and I set on the cmd line before running slapd manually. Neither method works. If I make /etc/slapd.keytab world readable, nothing changes. If I make /etc/krb5.keytab world readable, then it complains instead about not finding the principal it wants, so this is definitely where it is looking. Did something change between gutsy and hardy as far as specifying a keytab? I can't find info on this anywhere else.

Ok, I changed /etc/default/slapd so that the last line reads
export KRB5_KTNAME="/etc/ldap/slapd.keytab"

instead of just:
KRB5_KTNAME="/etc/ldap/slapd.keytab"

The latter worked in gutsy, but I noticed the hardy config file included the "export". GSSAPI in slapd now works when auto-started, but it still won't work from the command line, even if I run export KRB5_KTNAME="/etc/ldap/slapd.keytab".

jplien,

What's the exact command line you're using to try to start slapd manually?

marking this fix as verified, because the remaining issues don't appear to be related to apparmor.

Sorry for the delayed reply. It is working from the command line now. I was exporting the wrong keytab file name. I swear I looked at that 20 times the other day. **sigh**

Fix released in 2.4.9-0ubuntu0.8.04.2.