[krbdev.mit.edu #8166] [krb5bug] kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64 (big-endian issue ?) ...

Roland Mainz via RT rt-comment at krbdev.mit.edu
Sun Apr 12 22:33:04 EDT 2015 

Hi!

----

This was discovered with test "t_kdb.py" that is new on krb5-1.12.x and I can imagine that it was not executed on big-endian architectures so far. But this is not a regression the same issue was observed on s390x and ppc64 on krb5-1.11.x and krb5-1.10.x.

Either run the test suite and the test "t_kdb.py" should fail (make sure openldap is installed) or manually create a test realm with LDAP database backend, then:
-- snip --
[root at rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
[root at rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol
            Ticket policy: tktpol
      Maximum ticket life: 536870912 days 00:00:00
   Maximum renewable life: 1073741824 days 00:00:00
             Ticket flags:
-- snip --

It looks like the policy flags are correct in the database only they are not displayed (note the "krbTicketFlags" in the ldapsearch result below), so this is more less a cosmetic issue:
-- snip --
[root at rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#
 
dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 10800
krbMaxRenewableAge: 21600
krbTicketFlags: 2
 
search: 2
result: 0 Success
 
[root at rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" modify_policy -maxtktlife 4hour -maxrenewlife 8hour +requires_preauth tktpol
[root at rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\#

dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com
cn: tktpol
objectClass: krbTicketPolicy
objectClass: krbTicketPolicyAux
krbMaxTicketLife: 14400
krbMaxRenewableAge: 28800
krbTicketFlags: 128
 
search: 2
result: 0 Success
 
[root at rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret"
view_policy tktpol
            Ticket policy: tktpol
      Maximum ticket life: 715827882 days 16:00:00
   Maximum renewable life: 1431655765 days 08:00:00
             Ticket flags:
-- snip --

Expected results:
Like on x86_64 and ppc64le:
-- snip --
# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol
[root at rhel70 LDAP-backend]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w
"secret" view_policy tktpol
            Ticket policy: tktpol
      Maximum ticket life: 0 days 03:00:00
   Maximum renewable life: 0 days 06:00:00
             Ticket flags: DISALLOW_FORWARDABLE
-- snip --

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) rmainz at redhat.com
  \__\/\/__/  IPA/Kerberos5 team
  /O /==\ O\  
 (;O/ \/ \O;)

More information about the krb5-bugs mailing list