Ubuntu
krb5 package

Getting new "DN is out of the realm subtree" error on adding principal

Bug #1817955 reported by Nate Crawford
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Won't Fix
Undecided
Unassigned

Bug Description

Recently applied security update to 14.04.5 LTS kerberos (1.12+dfsg-2ubuntu5.4), and started getting errors when adding new principals to LDAP.

Obfuscated example:

kadmin.local -q "ank -x dn=\"uid=testuser,ou=People,dc=example,dc=com\" -pw \"dummypass\" testuser"

now gives:
Authenticating as principal <email address hidden> with password.
NOTICE: no policy specified for <email address hidden>; assigning "default"
add_principal: DN is out of the realm subtree while creating "<email address hidden>".

This worked up through 1.12+dfsg-2ubuntu5.3, and I think it now fails due to changes in src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in response to CVE-2018-5729 or CVE-2018-5730.

I'm going to attempt a downgrade to 1.12+dfsg-2ubuntu5.3 to check.

Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 1817955] [NEW] Getting new "DN is out of the realm subtree" error on adding principal

Yes, it is because of that change.
is the dn outside of the subtree?

Revision history for this message
Nate Crawford (nrm-crawford) wrote :

I do not think so, but I may not fully understand what "subtree" implies.

The realm was initially created with a command equivalent to:

kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r TEST.EXAMPLE.COM -s -H ldap://ldapserver.example.com

with user entries like:
dn: uid=testuser,ou=People,dc=example,dc=com

I explicitly added the ou=People,dc=example,dc=com with "kdb5_ldap_util ... modify -subtrees ...", but that did not help. Setting sscope to 2 also did nothing.

I can add a principal without specifying dn, but that leads to an entry like:
dn: <email address hidden>,cn=TEST.EXAMPLE.COM,cn=krb5,dc=example,dc=com

Revision history for this message
lincvz (cvuillemez) wrote :

Same error after upgrading krb5 packages from 1.12+dfsg-2ubuntu5.3 to 1.12+dfsg-2ubuntu5.4.

Adding a principal in a subtree outside the realm container fails.

Realm container DN is "cn=TEST.EXAMPLE.COM,cn=krbContainer,dc=example,dc=com"

But realm has subtree "dc=example,dc=com", with scope = SUB:

# kdb5_ldap_util -D "cn=admin,dc=example,dc=com" -H ldap://ldapserver.example.com view -r TEST.EXAMPLE.COM
               Realm Name: TEST.EXAMPLE.COM
                  Subtree: dc=example,dc=com
              SearchScope: SUB

So I should add a principal anywhere in "dc=example,dc=com" , e.g. "ou=People,dc=example,dc=com" .

Revision history for this message
lincvz (cvuillemez) wrote :

Even explicitly added subtree doesn't work:

# kdb5_ldap_util -D "cn=admin,dc=example,dc=com" -H ldap://ldapserver.example.com modify -r TEST.EXAMPLE.COM -subtrees 'dc=example,dc=com:ou=People,dc=example,dc=com"

# kdb5_ldap_util -D "cn=admin,dc=example,dc=com" -H ldap://ldapserver.example.com view -r TEST.EXAMPLE.COM
               Realm Name: TEST.EXAMPLE.COM
                  Subtree: dc=example,dc=com
                  Subtree: ou=People,dc=example,dc=com
              SearchScope: SUB

Still get the error "DN is out of the realm subtree" when adding a principal in "ou=People,dc=example,dc=com"

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Rafael David Tinoco (rafaeldtinoco)
Changed in krb5 (Ubuntu Trusty):
status: New → Triaged
Changed in krb5 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
lincvz (cvuillemez) wrote :

Is the fix released in Trustu ESM repository ? I don't see it.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Trusty has reached its end of standard support.

Changed in krb5 (Ubuntu Trusty):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.