[Bug 715579] [NEW] krb5-kdc-ldap plugin crashes krb5-kdc sometimes when password policy is set

Mark Deneen 715579 at bugs.launchpad.net
Wed Feb 9 04:04:50 UTC 2011 

Public bug reported:

Binary package hint: krb5-kdc

I have a krb5kdc server running, using openldap as a data store.  This
works great and, for most clients, it is fine.  I have a password policy
set as follows:


krbMaxPwdLife: 3628800
krbMinPwdLife: 0
krbPwdMinDiffChars: 1
krbPwdMinLength: 6
krbPwdHistoryLength: 3
krbPwdMaxFailure: 20
krbPwdFailureCountInterval: 0
krbPwdLockoutDuration: 8


I have a zimbra server running, configured to use kerberos5 for authentication.  This appears to be working.  I left a mail client (Thunderbird) running, periodically checking for new messages.  After a few hours, krb5kdc crashed.  I ran it through strace and found the following:


krb5kdc:  ../../../../../ src/plugins/kdb/ldap/libkdb_ldap/lockout.c:161:  krb5_ldap_lockout_audit: Assertion '!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed..

I took a peek at the code, but the assertion line didn't mean that much
to me.  It did point me to the krbPwdLockoutDuration setting.  Looking
at it now, I sure hope that it represents minutes.

Regardless, it shouldn't be possible to crash the KDC and I can now do
it very reliably.  Any idea what the assertion is checking for and what
I can do to prevent this from happening?

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.4
ProcVersionSignature: Ubuntu 2.6.32-23.37-server 2.6.32.15+drm33.5
Uname: Linux 2.6.32-23-server x86_64
Architecture: amd64
Date: Tue Feb  8 22:53:43 2011
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: krb5

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug lucid

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
https://bugs.launchpad.net/bugs/715579

Title:
  krb5-kdc-ldap plugin crashes krb5-kdc sometimes when password policy
  is set

More information about the Ubuntu-server-bugs mailing list