Getting new "DN is out of the realm subtree" error on adding principal

Bug #1817955 reported by Nate Crawford on 2019-02-27
This bug affects 2 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)

Bug Description

Recently applied security update to 14.04.5 LTS kerberos (1.12+dfsg-2ubuntu5.4), and started getting errors when adding new principals to LDAP.

Obfuscated example:

kadmin.local -q "ank -x dn=\"uid=testuser,ou=People,dc=example,dc=com\" -pw \"dummypass\" testuser"

now gives:
Authenticating as principal <email address hidden> with password.
NOTICE: no policy specified for <email address hidden>; assigning "default"
add_principal: DN is out of the realm subtree while creating "<email address hidden>".

This worked up through 1.12+dfsg-2ubuntu5.3, and I think it now fails due to changes in src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in response to CVE-2018-5729 or CVE-2018-5730.

I'm going to attempt a downgrade to 1.12+dfsg-2ubuntu5.3 to check.

Yes, it is because of that change.
is the dn outside of the subtree?

Nate Crawford (nrm-crawford) wrote :

I do not think so, but I may not fully understand what "subtree" implies.

The realm was initially created with a command equivalent to:

kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r TEST.EXAMPLE.COM -s -H ldap://

with user entries like:
dn: uid=testuser,ou=People,dc=example,dc=com

I explicitly added the ou=People,dc=example,dc=com with "kdb5_ldap_util ... modify -subtrees ...", but that did not help. Setting sscope to 2 also did nothing.

I can add a principal without specifying dn, but that leads to an entry like:
dn: <email address hidden>,cn=TEST.EXAMPLE.COM,cn=krb5,dc=example,dc=com

lincvz (cvuillemez) wrote :

Same error after upgrading krb5 packages from 1.12+dfsg-2ubuntu5.3 to 1.12+dfsg-2ubuntu5.4.

Adding a principal in a subtree outside the realm container fails.

Realm container DN is "cn=TEST.EXAMPLE.COM,cn=krbContainer,dc=example,dc=com"

But realm has subtree "dc=example,dc=com", with scope = SUB:

# kdb5_ldap_util -D "cn=admin,dc=example,dc=com" -H ldap:// view -r TEST.EXAMPLE.COM
               Realm Name: TEST.EXAMPLE.COM
                  Subtree: dc=example,dc=com
              SearchScope: SUB

So I should add a principal anywhere in "dc=example,dc=com" , e.g. "ou=People,dc=example,dc=com" .

lincvz (cvuillemez) wrote :

Even explicitly added subtree doesn't work:

# kdb5_ldap_util -D "cn=admin,dc=example,dc=com" -H ldap:// modify -r TEST.EXAMPLE.COM -subtrees 'dc=example,dc=com:ou=People,dc=example,dc=com"

# kdb5_ldap_util -D "cn=admin,dc=example,dc=com" -H ldap:// view -r TEST.EXAMPLE.COM
               Realm Name: TEST.EXAMPLE.COM
                  Subtree: dc=example,dc=com
                  Subtree: ou=People,dc=example,dc=com
              SearchScope: SUB

Still get the error "DN is out of the realm subtree" when adding a principal in "ou=People,dc=example,dc=com"

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Changed in krb5 (Ubuntu Trusty):
status: New → Triaged
Changed in krb5 (Ubuntu):
status: Confirmed → Fix Released
lincvz (cvuillemez) wrote :

Is the fix released in Trustu ESM repository ? I don't see it.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers