Ubuntu
openldap package

smbk5pwd test fails due to perms (FS and AppArmor)

Bug #2004560 reported by Andreas Hasenack
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Fix Released
Undecided
Andreas Hasenack

Bug Description

https://autopkgtest.ubuntu.com/packages/o/openldap/lunar/amd64

autopkgtest [16:06:32]: test smbk5pwd: [-----------------------
adding new entry "cn=samba,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=hdb,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"

adding new entry "olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config"

ldap_add: Other (e.g., implementation specific) error (80)
 additional info: <olcSmbK5PwdEnable> handler exited with 1
autopkgtest [16:06:33]: test smbk5pwd: -----------------------]
autopkgtest [16:06:33]: test smbk5pwd: - - - - - - - - - - results - - - - - - - - - -
smbk5pwd FAIL non-zero exit status 80

I reproduced this in a container, and the failure is two-fold:

a) /var/lib/heimdal-kdc/ is root:root 0700, and the slapd server needs FS read access to the key

b) Then the slapd apparmor profile blocks it:
[qui fev 2 09:54:02 2023] audit: type=1400 audit(1675342444.436:3242): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-l-dep8_<var-snap-lxd-common-lxd>" profile="/usr/sbin/slapd" name="/var/lib/heimdal-kdc/m-key" pid=1161656 comm="slapd" requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000

Related branches

~sergiodj/ubuntu/+source/openldap:merge-2.6.5-dfsg1-mantic
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 3615 lines (+3210/-3)
8 files modified
debian/apparmor-profile (+61/-0)
debian/changelog (+3043/-0)
debian/control (+4/-2)
debian/rules (+17/-1)
debian/slapd.README.Debian (+11/-0)
debian/slapd.py (+51/-0)
debian/slapd.ufw.profile (+9/-0)
debian/tests/smbk5pwd (+14/-0)
~ahasenack/ubuntu/+source/openldap:lunar-slapd-sha2-2000817
git-ubuntu bot: Approve
Sergio Durigan Junior (community): Approve
Canonical Server Reporter: Pending requested
Diff: 102 lines (+56/-1)
5 files modified
debian/changelog (+14/-0)
debian/rules (+7/-1)
debian/tests/control (+3/-0)
debian/tests/sha2-contrib (+16/-0)
debian/tests/smbk5pwd (+16/-0)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This bug is in the context of bug #2000817, because it will prevent migration from happening unless fixed.

Changed in openldap (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
tags: added: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.6.3+dfsg-1~exp1ubuntu2

---------------
openldap (2.6.3+dfsg-1~exp1ubuntu2) lunar; urgency=medium

  * Build the passwd/sha2 contrib module with -fno-strict-aliasing to
    avoid computing an incorrect SHA256 hash with some versions of the
    compiler (LP: #2000817):
    - d/t/{control,sha2-contrib}: test to verify the SHA256 hash
      produced by passwd/sha2
    - d/rules: set -fno-strict-aliasing only when building the
      passwd/sha2 contrib module
  * d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the
    smbk5pwd DEP8 test (LP: #2004560)

 -- Andreas Hasenack <email address hidden> Fri, 03 Feb 2023 09:33:14 -0300

Changed in openldap (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.