Existing patch gssapi.diff makes guess_service_principal produce garbage

Bug #661547 reported by Scott Salley on 2010-10-16
78
This bug affects 11 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
High
Thierry Carrez
Maverick
Undecided
Unassigned

Bug Description

openldap 2.4.23-0ubuntu3 in Ubuntu 10.10

likewise-open users reported severe failures and I investigated and determined that the patch gssapi.diff (in openldap) contains modifications to guess_service_principal() that are incompatible with recent changes in OpenLDAP and results in random service principal strings.

Attached is a replacement patch for gssapi.diff (named gssapi-2.diff)

Thierry Carrez (ttx) wrote :

There is already one maverick-proposed queued for openldap, waiting until it makes it to maverick-updates.

Changed in openldap (Ubuntu):
importance: Undecided → High
status: New → Triaged
tags: added: patch
Jason Sharp (jsharp) wrote :

How would one go about applying this patch, seeing as I have a few users here in the office that got over-zealous and already updated their machines?

Scott Salley (ssalley) wrote :

Drop the patch in the openldap-xxx/debian/patches directory and edit the 'series' file in the same directory, replacing gssapi.diff with gssapi-2.diff and then build. If this is unfamiliar for you, I could download the latest openldap sources, apply the patch, and upload the sources to my ppa where launchpad will build it and then you could download it.

Scott Salley (ssalley) wrote :

I've added the patched version to my ppa (https://launchpad.net/~ssalley/+archive/ppa/+packages). I suggest rebooting after installing to make sure all processes pick up the new version.

Jason Sharp (jsharp) wrote :

Thanks for the update. I'll test them out and hopefully it works

Misha Bazanov (bmw-) wrote :

Thanks, Scott! Now i can update my 10.04 and use it in AD. Already tested in virtualbox.

Eric Heydrick (eheydrick) wrote :

I can confirm that the openldap package from ppa:ssalley fixes likewise on maverick. Looks like the other openldap update is almost in -updates. Hopefully we can get this one in there ASAP.

Unless I am mistaken, this bug render likewise-open DOA. Now that the last update to openldap in maverick-proposed has gone through, I guess it would be a good time to push this one.

Not trying to push anybody around. I swear, I would do it myself if I had the credentials! :)

Ian Kluhsman (iankluhsman) wrote :

Likewise has released a fixed version of this that works in Ubuntu 10.10. Download the Likewise Open packages from their website.

I have posted a blog about how to get this running for those who are interested.

http://ianstekblog.blogspot.com/2010/11/likewise-open-in-ubuntu-1010-maverick.html

Chuck Short (zulcss) wrote :

Just running the testsuite :P

Ian,

Thanks for sending along your recent blog post. I wanted to clarify a
couple things here as we are effected in this case by a bug in another
package, not one in our code.

What broke in the version provided via main on Ubuntu 10.10 was OpenLDAP.

The developer who found the OpenLDAP bug was stunned that the version of
OpenDAP that shipped in 10.10 even built, let alone functioned.

All the versions Likewise Software shipped from our website have worked on
Ubuntu 10.10.

The version of Likewise Open we ship from our website has a build of
OpenLDAP which we bless (as this version must work on numerous versions of
numerous distros). In the Ubuntu main repo version (5.4), we are entirely
dependent on the version of OpenLDAP which Canonical ships in the main repo.

When it broke, so did we.

The fix for this is to download the version of OpenLDAP which we have on
launchpad with the bad patch removed. Once this is done, LikewiseOpen as
shipped with Ubuntu 10.10 main works just fine.

  See:
http://www.likewise.com/community/index.php/forums/viewannounce/863_6/

Thanks again for the post on Likewise. If possible it would be much
appreciated if you could make clear the cause of the failure in the Ubuntu
main repository version as we would like users confidence in the tools we
provide via Cononical's release to remain solid.

We also have a team of dedicated engineers who are specifically tasked with
assisting users of the open source offerings (at no cost). These engineers
can be reached via our community forums at:
http://www.likewise.com/community/index.php/forums/

Feel free to use any of the information provided on our forums and this
email if you find it useful.

If you have any questions please don't hesitate to contact me directly.

All the best,

Jonathan Flack
Open Source Community Engineer
Likewise Software

On 11/18/10 12:54 PM, "Ian Kluhsman" <email address hidden> wrote:

> http://ianstekblog.blogspot.com/2010/11/likewise-open-in-
> ubuntu-1010-maverick.html

--
Jonathan Flack
Likewise Engineer
Likewise Software
T: +1.425.378.7887 x212
E: <email address hidden>

Accepted openldap into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openldap (Ubuntu Maverick):
status: New → Fix Committed
tags: added: verification-needed
Thierry Carrez (ttx) wrote :

@Scott: could you help validate the Maverick -proposed packages ?

Scott Salley (ssalley) wrote :

@Thierry: I have installed the openldap package in -proposed and installed likewise-open and successfully joined a domain and logged in [on amd64] and did a few other tests that indicate likewise-open is in the same state of health as in 10.04. Could you give me some guidance as to what to do now? Is there a place to log this success? A series of tests to run? [I looked at qa.ubuntu.com for openldap tests but didn't find anything].

Thierry Carrez (ttx) wrote :

Thanks Scott, I think validating that the -proposed package fixes the issue is sufficient to mark it verification-done.

tags: added: verification-done
removed: verification-needed
Martin Pitt (pitti) wrote :

Please fix this in natty ASAP, so that the fix can proceed to maverick-updates.

Thierry Carrez (ttx) on 2010-11-26
Changed in openldap (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.23-6ubuntu3

---------------
openldap (2.4.23-6ubuntu3) natty; urgency=low

  * debian/patches/gssapi.diff:
    Update patch so that likewise-open is usable again (LP: #661547)
 -- Thierry Carrez (ttx) <email address hidden> Fri, 26 Nov 2010 15:50:11 +0100

Changed in openldap (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.23-0ubuntu3.4

---------------
openldap (2.4.23-0ubuntu3.4) maverick-proposed; urgency=low

  * debian/patches/gssapi.diff: Update patch so that likewise-open is usable again.
    (LP: #661547)
 -- Chuck Short <email address hidden> Thu, 18 Nov 2010 14:38:18 -0500

Changed in openldap (Ubuntu Maverick):
status: Fix Committed → Fix Released

This is still not fixed...

Reinstalled Ubuntu 10.10 64 bit
installed likewise-open

<user>@ai-328:~$ sudo domainjoin-cli join <domain> <adminuser>
[sudo] password for <user>:
Joining to AD Domain: <domain>
With Computer DNS Name: <hostname>.<domain>

<adminuser>@<domain>'s password:

Error: Lsass Error [code 0x00080047]

1225 (0x4C9) ERROR_CONNECTION_REFUSED - Unknown error

open ldap version: 2.4.23-0ubuntu3.4

When I do some lw commands i get the domain information as if i was connected (maybe i am), but i still get this error..

Getting this aswell when i try to leave the domain

Error code: CENTERROR_DOMAINJOIN_LSASS_ERROR (0x00080047)

Backtrace:
    main.c:368
    djmodule.c:323
    djauthinfo.c:925
    djauthinfo.c:1238

Nevermind, this solved it:

  $ killall lwsmd lwregd dcerpcd netlogond eventlogd lwiod lsassd

killall -9 if you have to. We're going to reset state anyways.

  $ /bin/rm -rf /var/lib/likewise-open
  $ mkdir -p /var/lib/likewise-open/{db,rpc,run}
  $ chmod 700 -p /var/lib/likewise-open/db

Now start lwsmd:

  $ /etc/init.d/lwsmd start

Import settings

  $ for file in /etc/likewise-open/*.reg; do lwregshell import $file;
done

Reload lwsmd

   $ /etc/init.d/lwsmd reload

Start lsassd

  $ lwsm start lsass

You will have a clean state. You should now be able to rejoin the
domain and hopefully everything will be resolved.

Alexander,

Have you run the system updaes?

This is absolutely fixed.

Jonathan

On 2/16/11 3:29 AM, "Alexander Vassbotn Røyne-Helgesen"
<email address hidden> wrote:

> This is still not fixed...
>
> Reinstalled Ubuntu 10.10 64 bit
> installed likewise-open
>
> <user>@ai-328:~$ sudo domainjoin-cli join <domain> <adminuser>
> [sudo] password for <user>:
> Joining to AD Domain: <domain>
> With Computer DNS Name: <hostname>.<domain>
>
> <adminuser>@<domain>'s password:
>
> Error: Lsass Error [code 0x00080047]
>
> 1225 (0x4C9) ERROR_CONNECTION_REFUSED - Unknown error
>
>
> open ldap version: 2.4.23-0ubuntu3.4
>
> When I do some lw commands i get the domain information as if i was
> connected (maybe i am), but i still get this error..
>
> Getting this aswell when i try to leave the domain

--
Jonathan Flack
Systems Engineer
Likewise Software

t: 425.378.7887 x212
f: 425.484.8200
e: <email address hidden>

RustyNail (wnoble2005) wrote :

I don't know how this is fixed.

I have been fighting this problem for quite some time (fresh installs of x64 10.10 with ALL updates). All will join just fine, then things just stop working.

=========================================================================
administrator@qc-ltaylor:~$ sudo domainjoin-cli join xxxxxx.com administratorJoining to AD Domain: xxxxxx.com
With Computer DNS Name: qc-ltaylor.customeng.com

<email address hidden>'s password:

Error: Lsass Error [code 0x00080047]

1225 (0x4C9) ERROR_CONNECTION_REFUSED - Unknown error
administrator@qc-ltaylor:~$

=========================================================================

Sometimes if I uninstall Likewise and re-install things work. Mostly not. I have gone through every proposed solution and things are just sometimes work, but usually not.

Scott Salley (ssalley) wrote :

RustyNail: I suggest going to http://www.likewise.com/community/index.php/forums and writing of your problem there. Likewise has support engineers that work with the Open community and they are pretty responsive. The issues you describe sound like environmental problems and they can help determine the cause.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers