apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

Bug #1472639 reported by Kartik Subbarao on 2015-07-08
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
High
Ryan Harper

Bug Description

The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l.kcm-socket which is used by kerberos:

apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0

This is as of 2.4.40+dfsg-1ubuntu1.

Robie Basak (racb) on 2015-07-10
tags: added: apparmor
Changed in openldap (Ubuntu):
importance: Undecided → High
Ryan Tandy (rtandy) wrote :

Hi Kartik,

To help me reproduce and verify this, can you describe your setup where slapd stores its credentials in the KCM?

I'm asking because I do see these denials, but they don't appear to affect operation with a keytab, and I haven't been able to get slapd to work without a keytab. I'm guessing I might be missing an option to kinit (thereby caching insufficient credentials), or something.

(I can cache my own credentials in the KCM, and auth with those, just fine.)

Or from a different angle: does your setup work properly if you aa-complain slapd?

Kartik Subbarao (subbarao) wrote :

I'm not sure if/how exactly I'm using kcm with slapd. I have an /etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter defined. Kerberos authentication actually seems to work okay -- for example, ldapwhoami -Y GSSAPI works properly. I don't know what else may or may not be working, but I figured that the error message wasn't a good thing to see.

Sorry I can't be of more help in isolating why this error is showing up.

Robie Basak (racb) on 2016-06-07
Changed in openldap (Ubuntu):
assignee: nobody → Ryan Harper (raharper)
Ryan Harper (raharper) wrote :

Hi,

From what I can tell, looking at the existing slapd apparmor profile, it does not include access to the kcm socket in /run as you say. However, I've yet to discover how to have slapd attempt to access this particular socket.

I've examined a number of Kerberos + OpenLDAP setups and there's no easy answer on how to setup and configure this combination and certainly no indication which one of those would trigger such an access.

Is there any additional information you can provide to help narrow down what possible configuration is needed and which command or action would trigger?

I'll start reading the LDAP server code to see if I can understand a bit more what the KDC socket is doing but in the mean time, I'd like as much detail as possible.

Note, the version mentioned 2.4.40 appeared between vivid and wily releases; Trusty has 2.4.31 and Xenial/Yakkety are at 2.4.42.

If possible, it would be useful to know if this can be reproduced on Xenial or Yakkety; or if it's only on the older releases (Trusty and Precise would be affected).

Changed in openldap (Ubuntu):
status: New → Incomplete
Kartik Subbarao (subbarao) wrote :

Hi Ryan,

Thanks for looking into this. Unfortunately I don't have much to add to my earlier response in this thread. Here are the only kerberos-related types of lines that I have in slapd.conf:

authz-regexp
    uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth
    ldap:///dc=example,dc=com??sub?(exampleKrb5PrincipalName=$1@$2)
sasl-realm EXAMPLE.COM
sasl-secprops minssf=0

As I mentioned before, I do have an /etc/krb5.keytab. ldapwhoami -Y GSSAPI works fine. I don't know precisely how slapd ends up using kcm. slapd is linked with libheimbase.so.1, so presumably it ends up calling some heimdal library function that ends up accessing that socket.

Do you have a specific guide or sequence you followed?

1. apt-get install slapd krb5* heimdal-kdc .. etc?

And then the various config changes applied?

I'll keep digging.

On Wed, Jul 20, 2016 at 11:31 AM, Kartik Subbarao <email address hidden>
wrote:

> Hi Ryan,
>
> Thanks for looking into this. Unfortunately I don't have much to add to
> my earlier response in this thread. Here are the only kerberos-related
> types of lines that I have in slapd.conf:
>
> authz-regexp
> uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth
> ldap:///dc=example,dc=com??sub?(exampleKrb5PrincipalName=$1@$2)
> sasl-realm EXAMPLE.COM
> sasl-secprops minssf=0
>
> As I mentioned before, I do have an /etc/krb5.keytab. ldapwhoami -Y
> GSSAPI works fine. I don't know precisely how slapd ends up using kcm.
> slapd is linked with libheimbase.so.1, so presumably it ends up calling
> some heimdal library function that ends up accessing that socket.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1472639
>
> Title:
> apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions
>

Kartik Subbarao (subbarao) wrote :

Not really -- in this case, all of the packages are pretty much installed at the same time with automated processes.

In #1 above, Ryan Tandy mentions seeing these error messages too -- so I assumed this was a fairly common sort of occurrence.

I've been working around this issue by adding a line to /etc/apparmor.d/local/usr.sbin.slapd, and I'm okay with this workaround. I guess I was assuming that the fix would be a simple patch to /etc/apparmor.d/usr.sbin/slapd to permit the socket (i.e. assuming that Kerberos is fairly standard and it seems reasonable to allow a process like slapd to access the socket if it has permissions to do so).

Given the amount of complexity that now seems to be involved, I'm reluctant to (even implicitly) ask you guys to spend more time on this. Feel free to pursue this as you want, but definitely don't feel any pressure on my account.

Hi,
this bug was dormant for a long time.
We have to face it that due to the complexity, the lack of an (easy) recreation and the fact that there is a workaround via modifying the apparmor profiles likely nothing gets changed - unless somebody in the community steps up and does so.

Yet as I read from Kartik, that is somewhat ok for now.

I bed your pardon, sometimes not being able to fix all bugs is a hard truth that makes me sad :-/
I'm happy that you are kind of ok with it in this case.

Kartik Subbarao (subbarao) wrote :

No worries Christian. As far as issues caused by unpredictable complex interactions go, this one is fairly benign :-) I'm fine with the workaround -- it's just one more line that gets programmatically added to a config file that has to be customized anyway. And who knows, it may well have been resolved by now in newer versions of openldap and kerberos.

In any case, I appreciate your empathy -- if only I could channel it to the maintainers of other software where I've reported bugs that are far more painful to deal with :-)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers