[SRU]slapd gssapi failure - apparmor profile doesn't support kerberos gssapi

Bug #229252 reported by javierpb
10
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: slapd

I'm setting up a ldap server allowing gssapi (kerberos) authentication, and it looks like the slapd daemon does not work properly. I've tried with both sasl-gssapi flavours (MIT & heimdal), and both fail when the slapd is running on the ubuntu (hardy) box, but works properly when the slapd is on a debian (etch) box.

The behaviour (described below) is the same when I supply the proper KRB5_KTNAME on /etc/default/slapd and when no keytab is supplied there, so it looks like the environment variable is not honoured.

When using the Heimdal-GSSAPI library, I get
ldap_sasl_interactive_bind_s: Invalid credentials (49)

MIT-GSSAPI library gives
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
and on the credential cache I see two ticket for a ldap principal one with the realm and another one that looks like realm-less.
There is also a quite probably related syslog message (selinux disabled, keytab owned by openldap user):
kernel: [ 783.797967] audit(1210511590.180:11): type=1503 operation="inode_permission" requested_mask="::a" denied_mask="::a" name="/dev/tty" pid=7408 profile="/usr/sbin/slapd" namespace="default"

Revision history for this message
Ryan Honeyager (rhoneyager-deactivatedaccount) wrote :

I've just had a similar problem. It's caused by a conflict with AppArmor's slapd policy (in /etc/apparmor.d/usr.sbin.slapd).
I switched apparmor's policy to complain mode with aa-complain and it fixed the problem.

Revision history for this message
Philipp Kaluza (pixelpapst) wrote :

Ryan, could you post the text of AppArmor's complaint ?

Revision history for this message
Ryan Honeyager (rhoneyager-deactivatedaccount) wrote :

AppArmor provided several complaints:

Jun 16 12:30:43 lionel kernel: [ 6122.925033] audit(1213633843.473:17): type=1503 operation="inode_permission" requested_mask="::a" denied_mask="::a" name="/dev/tty" pid=5259 profile="/usr/sbin/slapd" namespace="default"
Jun 16 12:30:43 lionel kernel: [ 6122.927321] audit(1213633843.473:18): type=1503 operation="file_lock" requested_mask="k::" denied_mask="k::" name="/etc/ldap/keytab.ldap" pid=5259 profile="/usr/sbin/slapd" namespace="default"

To fix the top two, I added
  /dev/tty rw,
  /etc/ldap/keytab.ldap kr,
to AppArmor's slapd profile.

Upon restart of AppArmor and slapd, I tried to connect again, and it failed with this log message:

Jun 16 12:38:17 lionel kernel: [ 6577.144098] audit(1213634297.983:19): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/tmp/ldap_111" pid=5339 profile="/usr/sbin/slapd" namespace="default"

From there, I added
  /var/tmp/ r,
  /var/tmp/* rw,
to the slapd profile.

Restarting AppArmor and slapd again, connecting to the server with gssapi works fine and presents no errors.

Changed in openldap:
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: slapd gssapi failure - apparmor profile doesn't support kerberos gssapi

Attached debdiff was tested and verified to work against a krb5 KDC and kerberized slapd. The profile allows 'kr' access to /etc/krb5.keytab as well as all of /etc/ldap/** (so users can put their keytabs in there).

Attached debdiff also fixes bug #243525

Changed in openldap:
assignee: nobody → jdstrand
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Attached debdiff is (perhaps obviously) for Hardy SRU.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package openldap - 2.4.10-3ubuntu1

---------------
openldap (2.4.10-3ubuntu1) intrepid; urgency=low

  [ Mathias Gug ]
  * Merge from debian unstable, remaining changes:
    - debian/apparmor-profile: add AppArmor profile
    - debian/slapd.postinst: Reload AA profile on configuration
    - updated debian/slapd.README.Debian for note on AppArmor
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
      to make sure that if earlier version of apparmour-profiles gets
      installed it won't overwrite our profile.
    - Modify Maintainer value to match the DebianMaintainerField
      speficication.
    - follow ApparmorProfileMigration and force apparmor compalin mode on
      some upgrades (LP: #203529)
    - debian/slapd.dirs: add etc/apparmor.d/force-complain
    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
      non-enforcing) and upgrades where apparmor profile does not exist.
    - debian/slapd.postrm: remove symlink in force-complain/ on purge
    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
      the ucred struct now.
    - debian/patches/fix-unique-overlay-assertion.patch:
      Fix another assertion error in unique overlay (LP: #243337).
      Backport from head.
  * Dropped - implemented in Debian:
    - debian/patches/fix-gnutls-key-strength.patch:
      Fix slapd handling of ssf using gnutls. (LP: #244925).
    - debian/control:
      Add time as build dependency: needed by make test.
  * debian/control:
    - Build-depend on libltdl7-dev rather then libltdl3-dev.
  * debian/patches/autogen.sh:
    - Call libtoolize with the --install option to install config.{guess,sub}
    files.

  [ Jamie Strandboge ]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

openldap (2.4.10-3) unstable; urgency=low

  [ Steve Langasek ]
  * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
    vulnerability in the BER decoder. Addresses CVE-2008-2952,
    closes: #488710.
  * debian/slapd.scripts-common, debian/slapd.postinst: drop
    update_path_argsfile_pidfile function, not needed for updates from etch
    or newer.
  * Drop the code to check for and upgrade ldbm databases. The etch
    release of slapd had already dropped support for them and direct
    upgrades from sarge are not supported.

  [ Russ Allbery ]
  * Apply upstream patch to convert GnuTLS cipher strength from bytes to
    bits, as expected by OpenLDAP. (Closes: #473796)
  * Add Build-Depends on time, used by the test suite and only a shell
    built-in with bash. Thanks, Daniel Schepler. (Closes: #490754)
  * Refresh all patches, convert all patches to -p1, and remove extraneous
    Index: lines. (Closes: #485263)
  * Unless DFSG_NONFREE is set, also check whether the upstream schemas
    with RFC comments are included.
  * Update standards version to 3.8.0.
    - Include debian/README.source pointing to the quilt README.source.
    - Wrap Uploaders for ...

Read more...

Changed in openldap:
status: In Progress → Fix Released
Revision history for this message
Nick Fishman (bsdlogical) wrote :

Hello,

I don't mean to reopen this bug after it's (apparently) been fixed.

I was trying to setup a combined LDAP/Kerberos system today, and ran into this exact problem. I'm running the latest version of Hardy with all updates. After I applied the fixes to the AppArmor profile suggested by Ryan, everything worked.

My major question is (and perhaps this is due to a major misunderstanding on my part): why was this fix applied to the openldap package, when the server itself is in slapd? Indeed, I could not find this patch in the latest slapd package.

Thanks in advance,
Nick

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

openldap is the name of the source package in the development release, and the slapd profile has been fixed in that release. We will also apply for a StableReleaseUpdate for Ubuntu 8.04 LTS.

Chuck Short (zulcss)
Changed in openldap:
status: Fix Released → Confirmed
status: Confirmed → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

Due to apparmor changes kerberos authentication is not available in hardy. This patch fixes it:

Steps to Reproduce:

1. Install openldap2.3
2. Install a kerberos authentication environment
3. Try to authenticate.

NOTE: This test should be done with someone who already has this setup.

I have attached the debdiff that fixes this issue.

chuck

Changed in openldap:
status: New → In Progress
Revision history for this message
Chuck Short (zulcss) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openldap:
status: In Progress → Fix Committed
Revision history for this message
javierpb (javiplx) wrote :

Is there any schedule for including openldap-2.4.10-3ubuntu1 into hardy? I would like to test that the patch does actually works.

I've tried to install the binary package and compile the source one, but both fail due to missing dependencies (libltdl7) or versions.

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 229252] Re: [SRU]slapd gssapi failure - apparmor profile doesn't support kerberos gssapi

On Thu, Aug 07, 2008 at 04:39:29PM -0000, javierpb wrote:
> Is there any schedule for including openldap-2.4.10-3ubuntu1 into hardy?
> I would like to test that the patch does actually works.

The version for hardy is 2.4.9-0ubuntu0.8.04.2, which is currently in
hardy-proposed. You can test it by enabling the hardy-proposed pocket in
your "Software Sources" administration dialog.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Revision history for this message
javierpb (javiplx) wrote :

I've finally performed the test, and I can confirm that the package in hardy-proposed solves this bug, and GSSAPI authentication to a OpenLDAP server works without problems.

Revision history for this message
jplien (jolien) wrote :

I applied the fix from hardy-proposed, restarted slapd and apparmor, and I am no longer getting errors from apparmor in /var/log/messages. Accessing slapd using GSSAPI doesn't work, however, because slapd doesn't seem to honor my KRB5_KTNAME variable. I had this working in gutsy, but since upgrade to hardy I can't use GSSAPI. Trying to connect gives the following slapd output:

SASL [conn=1] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)

I have a keytab file /etc/ldap/slapd.keytab (owned by openldap:openldap, mode 600), and I have KRB5_KTNAME=/etc/ldap/slapd.keytab. This is set in /etc/default/slapd when slapd is started automatically, and I set on the cmd line before running slapd manually. Neither method works. If I make /etc/slapd.keytab world readable, nothing changes. If I make /etc/krb5.keytab world readable, then it complains instead about not finding the principal it wants, so this is definitely where it is looking. Did something change between gutsy and hardy as far as specifying a keytab? I can't find info on this anywhere else.

Revision history for this message
jplien (jolien) wrote :

Ok, I changed /etc/default/slapd so that the last line reads
export KRB5_KTNAME="/etc/ldap/slapd.keytab"

instead of just:
KRB5_KTNAME="/etc/ldap/slapd.keytab"

The latter worked in gutsy, but I noticed the hardy config file included the "export". GSSAPI in slapd now works when auto-started, but it still won't work from the command line, even if I run export KRB5_KTNAME="/etc/ldap/slapd.keytab".

Revision history for this message
Steve Langasek (vorlon) wrote :

jplien,

What's the exact command line you're using to try to start slapd manually?

Revision history for this message
Steve Langasek (vorlon) wrote :

marking this fix as verified, because the remaining issues don't appear to be related to apparmor.

Revision history for this message
jplien (jolien) wrote :

Sorry for the delayed reply. It is working from the command line now. I was exporting the wrong keytab file name. I swear I looked at that 20 times the other day. **sigh**

Revision history for this message
Mathias Gug (mathiaz) wrote :

Fix released in 2.4.9-0ubuntu0.8.04.2.

Changed in openldap:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.