[Bug 715579] Re: krb5-kdc-ldap plugin crashes krb5-kdc sometimes when password policy is set

Mark Deneen 715579 at bugs.launchpad.net
Fri May 27 14:12:59 UTC 2011 

I just wanted to note that in my environment, this is happening many
times a day.  I run the kdc through runit, so things get restarted
immediately, but something is clearly wrong:


2011-05-27_11:21:32.11310 krb5kdc: starting...
2011-05-27_11:22:01.99218 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_11:22:02.01489 krb5kdc: starting...
2011-05-27_11:22:34.82072 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_11:22:34.84385 krb5kdc: starting...
2011-05-27_11:23:04.85051 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_11:23:04.87166 krb5kdc: starting...
2011-05-27_13:41:47.11749 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:41:47.13390 krb5kdc: starting...
2011-05-27_13:42:15.83151 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:15.84522 krb5kdc: starting...
2011-05-27_13:42:17.12465 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:17.14709 krb5kdc: starting...
2011-05-27_13:42:47.15550 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:47.16933 krb5kdc: starting...
2011-05-27_13:42:59.14972 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:59.17231 krb5kdc: starting...
2011-05-27_13:43:21.32805 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:43:21.33698 krb5kdc: starting...
2011-05-27_13:43:29.18399 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:43:29.20055 krb5kdc: starting...
2011-05-27_13:43:51.35396 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:43:51.38001 krb5kdc: starting...

Any idea what the assertion is trying to prevent?  Should I contact the
upstream developers?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/715579

Title:
  krb5-kdc-ldap plugin crashes krb5-kdc sometimes when password policy
  is set

Status in “krb5” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: krb5-kdc

  I have a krb5kdc server running, using openldap as a data store.  This
  works great and, for most clients, it is fine.  I have a password
  policy set as follows:

  
  krbMaxPwdLife: 3628800
  krbMinPwdLife: 0
  krbPwdMinDiffChars: 1
  krbPwdMinLength: 6
  krbPwdHistoryLength: 3
  krbPwdMaxFailure: 20
  krbPwdFailureCountInterval: 0
  krbPwdLockoutDuration: 8

  
  I have a zimbra server running, configured to use kerberos5 for authentication.  This appears to be working.  I left a mail client (Thunderbird) running, periodically checking for new messages.  After a few hours, krb5kdc crashed.  I ran it through strace and found the following:

  
  krb5kdc:  ../../../../../ src/plugins/kdb/ldap/libkdb_ldap/lockout.c:161:  krb5_ldap_lockout_audit: Assertion '!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed..

  I took a peek at the code, but the assertion line didn't mean that
  much to me.  It did point me to the krbPwdLockoutDuration setting.
  Looking at it now, I sure hope that it represents minutes.

  Regardless, it shouldn't be possible to crash the KDC and I can now do
  it very reliably.  Any idea what the assertion is checking for and
  what I can do to prevent this from happening?

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.4
  ProcVersionSignature: Ubuntu 2.6.32-23.37-server 2.6.32.15+drm33.5
  Uname: Linux 2.6.32-23-server x86_64
  Architecture: amd64
  Date: Tue Feb  8 22:53:43 2011
  InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
  ProcEnviron:
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: krb5

More information about the foundations-bugs mailing list