Fix Kerberos keytab string handling

Description

Assuming a configuration where FreeNfiAS is configured to use AD, using an imported keytab file, where the NetBIOS style SPN is used. (see attached image)

The NetBIOS style hostname usually includes a '$' sign at the end.

I.E nd-bsd-1$@REALM

observed behaviour:

Upon (re)start of the AD Directory Service on FreeNAS, cachetool passes the SPN 'nd-bsd-1REALM' string to kinit, which inevitably fails. (Mind the missing '$@' signs)

This produces the following log messages:

Sep 6 03:30:21 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT
Sep 6 03:30:25 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT
Sep 6 10:34:16 nd-bsd-1 uwsgi: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT

Whereas the kerberos_start script properly calls

Sep 6 10:34:47 nd-bsd-1 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable -t /etc/kerberos/nd-bsd-1 -k ND-BSD-1$@LAN.DOMAIN.AT

This is most likely, due to improper escaping of the SPN string passed on to kinit, causing '$' to be interpreted as a special character.

expected behaviour:

The string passed on to kinit by cachetool.py is being properly escaped.

Problem/Justification

None

Impact

None

Linked issues

duplicates

NAS-103413

Kerberos keytab named "nfs/..." not added to krb5.keytab

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Show:

Dru Lavigne November 7, 2019 at 6:00 PM

11.3 PR: https://github.com/freenas/freenas/pull/3649

Bug Clerk October 10, 2019 at 2:17 PM

11.2 PR: https://github.com/freenas/freenas/pull/3646

Emanuel Klein September 23, 2019 at 4:47 PM

I tried it but it seems to break "something".

Upon clicking Save on the AD config page (legacy UI), i now get an

"{'desc': "Can't contact LDAP server"}" Error, and the button being completely unresponsive.

Also this from the log:

Sep 23 18:38:46 nd-bsd-1 uwsgi: [common.freenasusers:354] Directory Users could not be retrieved: {'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "./freenasUI/common/freenasusers.py", line 351, in _init_
self.__users = dir(**kwargs)
File "./freenasUI/common/freenasldap.py", line 2506, in _init_
super(FreeNAS_ActiveDirectory_Users, self)._init_(**kwargs)
File "./freenasUI/common/freenasldap.py", line 2390, in _init_
super(FreeNAS_ActiveDirectory, self)._init_(**kwargs)
File "./freenasUI/common/freenasldap.py", line 1549, in _init_
self.set_servers()
File "./freenasUI/common/freenasldap.py", line 1703, in set_servers
self.dchandle.open()
File "./freenasUI/common/freenasldap.py", line 347, in open
raise e
File "./freenasUI/common/freenasldap.py", line 335, in open
res = bind_method()
File "./freenasUI/common/freenasldap.py", line 256, in _do_sasl_gssapi_bind
res = self.handle.sasl
Sep 23 18:38:46 nd-bsd-1 uwsgi: interactive_bind_s('', auth_tokens)
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 442, in sasl_interactive_bind_s
return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 309, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/local/lib/python3.6/site-packages/ldap/compat.py", line 42, in reraise
raise exc_value
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 293, in _ldap_call
result = func(args,*kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Sep 23 18:38:46 nd-bsd-1 uwsgi: [common.freenasusers:229] Directory Groups could not be retrieved: {'desc': "Can't contact LDAP server"}

Andrew Walker September 19, 2019 at 12:44 PM

On a test system, clone your boot environment and replace /usr/local/www/freenasUI/common/system.py with the attached version (assuming 11.2-U6) and service django restart.