freeipa

Clone
Source Code
GIT

#6362 IPA password plugin sets krbExtraData on target entry which is not Kerberos Principal
Closed: fixed 3 years ago by abbra. Opened 7 years ago by mbabinsk.

Closed: fixed
Reopen Issue

When using ldappasswd to set user password, the IPA password plugin is triggered and unconditionally sets kerberosExtraData attribute on the target DN regardless of whether it is a proper Kerberos principal or just a simple user entry (see [1]).

This manifests when setting userPassword for the 'sudo' sysaccount which has just 'simpleSecurityObject' and 'account' objectclasses. The error log then contains the following (after ramping up the nsslapd-errorlog-level):

[27/Sep/2016:12:00:05.611462303 +0000] => entry_apply_mods_wsi
[27/Sep/2016:12:00:05.616341428 +0000]    krbExtraData: 
[27/Sep/2016:12:00:05.621399114 +0000]    replace: krbExtraData
[27/Sep/2016:12:00:05.626296695 +0000]    -
[27/Sep/2016:12:00:05.630766614 +0000]    modifiersname: cn=ipa_pwd_extop,cn=plugins,cn=config
[27/Sep/2016:12:00:05.635958790 +0000]    replace: modifiersname
[27/Sep/2016:12:00:05.647124780 +0000]    -
[27/Sep/2016:12:00:05.652126329 +0000]    modifytimestamp: 20160927120003Z
[27/Sep/2016:12:00:05.662898852 +0000]    replace: modifytimestamp
[27/Sep/2016:12:00:05.674080487 +0000]    -
[27/Sep/2016:12:00:05.678959024 +0000]    entryusn: 1589
[27/Sep/2016:12:00:05.683814090 +0000]    replace: entryusn
[27/Sep/2016:12:00:05.695163460 +0000]    -
[27/Sep/2016:12:00:05.705747844 +0000] <= entry_apply_mods_wsi 0
[27/Sep/2016:12:00:05.710499983 +0000] Entry "uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=test" -- attribute "krbExtraData" not allowed
[27/Sep/2016:12:00:05.715094809 +0000] Calling plugin 'Retrocl postoperation plugin' #0 type 561
[27/Sep/2016:12:00:05.725715544 +0000] not applying change if op failed 65

The operation itself is completed and password is changed successfuly, but we shouldn't let the error logs to be polluted by false negatives.

[1] https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c#n598

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=712109 (Red Hat Enterprise Linux 7)

Note that ipapwd_SetPassword() also doesn't check is_krb when adding modifications to the list of changes to LDAP entry. If is_krb is not set, it ideally should skip adding Kerberos attributes.

ideally this should be implemented as a part of bigger effort

Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

Close as the BZ was closed.

Metadata Update from @pcech:
- Issue close_status updated to: wontfix
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
- Issue status updated to: Closed (was: Open)
3 years ago

Metadata Update from @abbra:
- Issue status updated to: Open (was: Closed)
3 years ago

This is actually fixed with following commits:

master: 132a0f8
ipa-4-8: 8b7bb96
ipa-4-6: dc83394

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

And also changes of ticket https://pagure.io/freeipa/issue/7181 apply here

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
None
defect
None
None
IPA
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=712109
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.