Debian Bug report logs - #631120
slapd-smbk5pwd: Overlay can not be added

version graph

Package: slapd-smbk5pwd; Maintainer for slapd-smbk5pwd is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>; Source for slapd-smbk5pwd is src:openldap.

Reported by: Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>

Date: Mon, 20 Jun 2011 14:18:05 UTC

Severity: normal

Tags: upstream

Found in version openldap/2.4.23-7

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, tobias.mayer@hhi.fraunhofer.de, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Mon, 20 Jun 2011 14:18:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>:
New Bug report received and forwarded. Copy sent to tobias.mayer@hhi.fraunhofer.de, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 20 Jun 2011 14:18:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: slapd-smbk5pwd: Overlay can not be added
Date: Mon, 20 Jun 2011 16:16:47 +0200
Package: slapd-smbk5pwd
Version: 2.4.23-7
Severity: normal
Tags: upstream

The following happens after an initial setup of slapd with
an unpopulated DIT (generated by dpkg-reconfigure slapd)

Adding the module with this ldif:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}smbk5pwd.so
 
works, but then using the following to use the overlay fails:

dn: olcOverlay={0}smbk5pwd,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSmbK5PwdConfig
olcOverlay: {0}smbk5pwd
olcSmbK5PwdEnable: samba
olcSmbK5PwdMustChange: 0
olcSmbK5PwdCanChange: 0

complete output:
# ldapmodify -Y EXTERNAL -H ldapi:/// -a -f smbk5pwd2.ldif -v
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add objectClass:
	olcOverlayConfig
	olcSmbK5PwdConfig
add olcOverlay:
	{0}smbk5pwd
add olcSmbK5PwdEnable:
	samba
add olcSmbK5PwdMustChange:
	0
add olcSmbK5PwdCanChange:
	0
adding new entry "olcOverlay={1}smbk5pwd,olcDatabase={1}hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
	additional info: <olcSmbK5PwdEnable> handler exited with 1


-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd-smbk5pwd depends on:
ii  libc6      2.11.2-10                     Embedded GNU C Library: Shared lib
ii  libgcrypt1 1.4.5-2                       LGPL Crypto library - runtime libr
ii  libkadm5sr 1.4.0~git20100726.dfsg.1-1+b1 Libraries for Heimdal Kerberos
ii  libkrb5-26 1.4.0~git20100726.dfsg.1-1+b1 Heimdal Kerberos - libraries
ii  libldap-2. 2.4.23-7                      OpenLDAP libraries
ii  slapd      2.4.23-7                      OpenLDAP server (slapd)

slapd-smbk5pwd recommends no packages.

slapd-smbk5pwd suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Tue, 21 Jun 2011 15:09:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 21 Jun 2011 15:09:14 GMT) Full text and rfc822 format available.

Message #10 received at 631120@bugs.debian.org (full text, mbox):

From: Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>
To: 631120@bugs.debian.org
Subject: new information
Date: Tue, 21 Jun 2011 16:43:46 +0200
I was able to get the overlay to load, but unfortunately not without a 
major drawback:

by using slapd.conf i got slapd to write the following to syslog:
Jun 21 16:16:52 iclinux1 slapd[2625]: smbk5pwd: unable to initialize 
krb5 admin context: failed to open /var/lib/heimdal-kdc/m-key: 
Permission denied (13).

after opening the permissions to the openldap user, the ldif applies 
just fine.

for me this is not a big problem, since i don't use kerberos. But 
nonetheless, i think
heimdal-kdc should have it's own group, and openldap should be a member 
there.
... and even that is not an optimal solution.

regards,
Tobias Mayer





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Tue, 21 Jun 2011 16:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 21 Jun 2011 16:21:03 GMT) Full text and rfc822 format available.

Message #15 received at 631120@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>, 631120@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#631120: new information
Date: Tue, 21 Jun 2011 09:17:19 -0700
[Message part 1 (text/plain, inline)]
On Tue, Jun 21, 2011 at 04:43:46PM +0200, Tobias Mayer wrote:
> by using slapd.conf i got slapd to write the following to syslog:
> Jun 21 16:16:52 iclinux1 slapd[2625]: smbk5pwd: unable to initialize
> krb5 admin context: failed to open /var/lib/heimdal-kdc/m-key:
> Permission denied (13).

> after opening the permissions to the openldap user, the ldif applies
> just fine.

> for me this is not a big problem, since i don't use kerberos.

I don't understand.  If you're not using kerberos, why are you using this
overlay?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Tue, 21 Jun 2011 18:09:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 21 Jun 2011 18:09:11 GMT) Full text and rfc822 format available.

Message #20 received at 631120@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>
Cc: 631120@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#631120: new information
Date: Tue, 21 Jun 2011 11:05:58 -0700
Tobias Mayer <tobias.mayer@hhi.fraunhofer.de> writes:

> I was able to get the overlay to load, but unfortunately not without a
> major drawback:

> by using slapd.conf i got slapd to write the following to syslog:
> Jun 21 16:16:52 iclinux1 slapd[2625]: smbk5pwd: unable to initialize krb5
> admin context: failed to open /var/lib/heimdal-kdc/m-key: Permission
> denied (13).

> after opening the permissions to the openldap user, the ldif applies just
> fine.

> for me this is not a big problem, since i don't use kerberos. But
> nonetheless, i think heimdal-kdc should have it's own group, and
> openldap should be a member there.

Definitely not as a default configuration.  Under normal circumstances,
there's no way that the LDAP server should have direct access to the KDC
database.  The KDC database is generally the single most
security-sensitive thing on whatever machine on which it's running.

That error message indicates that the plugin is using server-mode kadmin,
which surprises me.  Shouldn't it be using client-mode kadmin with a
keytab for a known principal that has the appropriate access in
kadmind.acl?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Wed, 22 Jun 2011 08:39:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Wed, 22 Jun 2011 08:39:24 GMT) Full text and rfc822 format available.

Message #25 received at 631120@bugs.debian.org (full text, mbox):

From: Tobias Mayer <tobias.mayer@hhi.fraunhofer.de>
To: Steve Langasek <vorlon@debian.org>
Cc: 631120@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#631120: new information
Date: Wed, 22 Jun 2011 10:21:20 +0200
On 21.06.2011 18:17, Steve Langasek wrote:
> On Tue, Jun 21, 2011 at 04:43:46PM +0200, Tobias Mayer wrote:
>> by using slapd.conf i got slapd to write the following to syslog:
>> Jun 21 16:16:52 iclinux1 slapd[2625]: smbk5pwd: unable to initialize
>> krb5 admin context: failed to open /var/lib/heimdal-kdc/m-key:
>> Permission denied (13).
>> after opening the permissions to the openldap user, the ldif applies
>> just fine.
>> for me this is not a big problem, since i don't use kerberos.
> I don't understand.  If you're not using kerberos, why are you using this
> overlay?
>
Well... I'm currently testing a migration from Suse Linux to Debian for 
a couple
of servers, and they use smbk5pwd without kerberos support to sync unix and
samba passwords.
The other solution would be pam_smbpass, correct?
But then i plan to add kerberos to our setup eventually anyway.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Mon, 07 Nov 2011 01:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Adam <zanchey@ucc.gu.uwa.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 07 Nov 2011 01:03:03 GMT) Full text and rfc822 format available.

Message #30 received at 631120@bugs.debian.org (full text, mbox):

From: David Adam <zanchey@ucc.gu.uwa.edu.au>
To: 631120@bugs.debian.org
Cc: tobias.mayer@hhi.fraunhofer.de, vorlon@debian.org
Subject: Re: slapd-smbk5pwd: Overlay can not be added
Date: Mon, 7 Nov 2011 08:48:02 +0800 (WST)
I'm pretty sure that slapd-smbk5pwd is failing to respect the 
smbK5PwdEnable attribute on 64-bit platforms - having spun up two 
fresh Debian VMs and configured them for samba and not kerberos as in the 
original bug report, I get an error complaining about Kerberos 
misconfiguration on the 64-bit machine but not on the 32-bit machine.

See http://www.openldap.org/lists/openldap-technical/201111/msg00034.html

In the short term this could be fixed with the patch in my post.

David Adam
zanchey@ucc.gu.uwa.edu.au




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Mon, 07 Nov 2011 09:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 07 Nov 2011 09:03:07 GMT) Full text and rfc822 format available.

Message #35 received at 631120@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: David Adam <zanchey@ucc.gu.uwa.edu.au>
Cc: 631120@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#631120: slapd-smbk5pwd: Overlay can not be added
Date: Mon, 07 Nov 2011 00:54:18 -0800
--On Monday, November 07, 2011 8:48 AM +0800 David Adam 
<zanchey@ucc.gu.uwa.edu.au> wrote:

> I'm pretty sure that slapd-smbk5pwd is failing to respect the
> smbK5PwdEnable attribute on 64-bit platforms - having spun up two
> fresh Debian VMs and configured them for samba and not kerberos as in the
> original bug report, I get an error complaining about Kerberos
> misconfiguration on the 64-bit machine but not on the 32-bit machine.

I'm somewhat curious why you are filing this with Debian when you were 
pointed at the upstream ITS system, which initial such reports belong.  The 
Debian project is not affiliated in any way with the OpenLDAP project.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Mon, 07 Nov 2011 11:48:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Adam <zanchey@ucc.gu.uwa.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 07 Nov 2011 11:48:36 GMT) Full text and rfc822 format available.

Message #40 received at 631120@bugs.debian.org (full text, mbox):

From: David Adam <zanchey@ucc.gu.uwa.edu.au>
To: Quanah Gibson-Mount <quanah@zimbra.com>
Cc: 631120@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#631120: slapd-smbk5pwd: Overlay can not be added
Date: Mon, 7 Nov 2011 19:44:50 +0800 (WST)
On Mon, 7 Nov 2011, Quanah Gibson-Mount wrote:
> --On Monday, November 07, 2011 8:48 AM +0800 David Adam
> <zanchey@ucc.gu.uwa.edu.au> wrote:
> 
> > I'm pretty sure that slapd-smbk5pwd is failing to respect the
> > smbK5PwdEnable attribute on 64-bit platforms - having spun up two
> > fresh Debian VMs and configured them for samba and not kerberos as in the
> > original bug report, I get an error complaining about Kerberos
> > misconfiguration on the 64-bit machine but not on the 32-bit machine.
> 
> I'm somewhat curious why you are filing this with Debian when you were pointed
> at the upstream ITS system, which initial such reports belong.  The Debian
> project is not affiliated in any way with the OpenLDAP project.

Many people using Debian check the BTS as their first point of call when 
they are having problems with software on their system. In this case, the 
issue has previously been reported by another user, so I posted in order 
to confirm that it is an issue other people are also seeing (as that was 
not evident from the thread above) and to advise that I had made a report 
upstream so that Debian developers and other users might be able to track 
its progress.

It has also been filed upstream at 
   http://www.OpenLDAP.org/its/index.cgi?findid=7082

Thanks

David Adam
zanchey@ucc.gu.uwa.edu.au




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Mon, 07 Nov 2011 23:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 07 Nov 2011 23:36:03 GMT) Full text and rfc822 format available.

Message #45 received at 631120@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: David Adam <zanchey@ucc.gu.uwa.edu.au>
Cc: 631120@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#631120: slapd-smbk5pwd: Overlay can not be added
Date: Mon, 07 Nov 2011 15:33:01 -0800
--On Monday, November 07, 2011 7:44 PM +0800 David Adam 
<zanchey@ucc.gu.uwa.edu.au> wrote:

> It has also been filed upstream at
>    http://www.OpenLDAP.org/its/index.cgi?findid=7082

This has been fixed upstream.  It also has raised 
<http://www.openldap.org/its/index.cgi/?findid=7083> which is currently 
being fixed.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#631120; Package slapd-smbk5pwd. (Thu, 22 Dec 2011 00:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hubert Kario <hka@qbs.com.pl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 22 Dec 2011 00:33:07 GMT) Full text and rfc822 format available.

Message #50 received at 631120@bugs.debian.org (full text, mbox):

From: Hubert Kario <hka@qbs.com.pl>
To: 631120@bugs.debian.org
Subject: slapd-smbk5pwd: Overlay can not be added: OpenLDAP issue 7083 fixed
Date: Thu, 22 Dec 2011 01:25:11 +0100
Both issues, 7082 and 7083 have been fixed upstream.

Is there some timeframe when those patches will be integrated to squeeze 
package?

-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:54:54 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.