Fix Kerberos keytab string handling
Description
Problem/Justification
Impact
duplicates
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity

Dru Lavigne November 7, 2019 at 6:00 PM

Bug Clerk October 10, 2019 at 2:17 PM

Emanuel Klein September 23, 2019 at 4:47 PM
I tried it but it seems to break "something".
Upon clicking Save on the AD config page (legacy UI), i now get an
"{'desc': "Can't contact LDAP server"}" Error, and the button being completely unresponsive.
Also this from the log:
Sep 23 18:38:46 nd-bsd-1 uwsgi: [common.freenasusers:354] Directory Users could not be retrieved: {'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "./freenasUI/common/freenasusers.py", line 351, in _init_
self.__users = dir(**kwargs)
File "./freenasUI/common/freenasldap.py", line 2506, in _init_
super(FreeNAS_ActiveDirectory_Users, self)._init_(**kwargs)
File "./freenasUI/common/freenasldap.py", line 2390, in _init_
super(FreeNAS_ActiveDirectory, self)._init_(**kwargs)
File "./freenasUI/common/freenasldap.py", line 1549, in _init_
self.set_servers()
File "./freenasUI/common/freenasldap.py", line 1703, in set_servers
self.dchandle.open()
File "./freenasUI/common/freenasldap.py", line 347, in open
raise e
File "./freenasUI/common/freenasldap.py", line 335, in open
res = bind_method()
File "./freenasUI/common/freenasldap.py", line 256, in _do_sasl_gssapi_bind
res = self.handle.sasl
Sep 23 18:38:46 nd-bsd-1 uwsgi: interactive_bind_s('', auth_tokens)
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 442, in sasl_interactive_bind_s
return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 309, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/local/lib/python3.6/site-packages/ldap/compat.py", line 42, in reraise
raise exc_value
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 293, in _ldap_call
result = func(args,*kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Sep 23 18:38:46 nd-bsd-1 uwsgi: [common.freenasusers:229] Directory Groups could not be retrieved: {'desc': "Can't contact LDAP server"}

Andrew Walker September 19, 2019 at 12:44 PM
On a test system, clone your boot environment and replace /usr/local/www/freenasUI/common/system.py with the attached version (assuming 11.2-U6) and service django restart.

Andrew Walker September 19, 2019 at 11:37 AM
Okay. I have reproduced it.
Details
Details
Assignee

Reporter

Assuming a configuration where FreeNfiAS is configured to use AD, using an imported keytab file, where the NetBIOS style SPN is used. (see attached image)
The NetBIOS style hostname usually includes a '$' sign at the end.
I.E nd-bsd-1$@REALM
observed behaviour:
Upon (re)start of the AD Directory Service on FreeNAS, cachetool passes the SPN 'nd-bsd-1REALM' string to kinit, which inevitably fails. (Mind the missing '$@' signs)
This produces the following log messages:
Sep 6 03:30:21 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT
Sep 6 03:30:25 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT
Sep 6 10:34:16 nd-bsd-1 uwsgi: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT
Whereas the kerberos_start script properly calls
Sep 6 10:34:47 nd-bsd-1 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable -t /etc/kerberos/nd-bsd-1 -k ND-BSD-1$@LAN.DOMAIN.AT
This is most likely, due to improper escaping of the SPN string passed on to kinit, causing '$' to be interpreted as a special character.
expected behaviour:
The string passed on to kinit by cachetool.py is being properly escaped.