apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

Bug #1472639 reported by Kartik Subbarao
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Expired
High
Unassigned

Bug Description

The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l.kcm-socket which is used by kerberos:

apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0

This is as of 2.4.40+dfsg-1ubuntu1.

Tags: apparmor
Robie Basak (racb)
tags: added: apparmor
Changed in openldap (Ubuntu):
importance: Undecided → High
Revision history for this message
Ryan Tandy (rtandy) wrote :

Hi Kartik,

To help me reproduce and verify this, can you describe your setup where slapd stores its credentials in the KCM?

I'm asking because I do see these denials, but they don't appear to affect operation with a keytab, and I haven't been able to get slapd to work without a keytab. I'm guessing I might be missing an option to kinit (thereby caching insufficient credentials), or something.

(I can cache my own credentials in the KCM, and auth with those, just fine.)

Or from a different angle: does your setup work properly if you aa-complain slapd?

Revision history for this message
Kartik Subbarao (subbarao) wrote :

I'm not sure if/how exactly I'm using kcm with slapd. I have an /etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter defined. Kerberos authentication actually seems to work okay -- for example, ldapwhoami -Y GSSAPI works properly. I don't know what else may or may not be working, but I figured that the error message wasn't a good thing to see.

Sorry I can't be of more help in isolating why this error is showing up.

Robie Basak (racb)
Changed in openldap (Ubuntu):
assignee: nobody → Ryan Harper (raharper)
Revision history for this message
Ryan Harper (raharper) wrote :

Hi,

From what I can tell, looking at the existing slapd apparmor profile, it does not include access to the kcm socket in /run as you say. However, I've yet to discover how to have slapd attempt to access this particular socket.

I've examined a number of Kerberos + OpenLDAP setups and there's no easy answer on how to setup and configure this combination and certainly no indication which one of those would trigger such an access.

Is there any additional information you can provide to help narrow down what possible configuration is needed and which command or action would trigger?

I'll start reading the LDAP server code to see if I can understand a bit more what the KDC socket is doing but in the mean time, I'd like as much detail as possible.

Note, the version mentioned 2.4.40 appeared between vivid and wily releases; Trusty has 2.4.31 and Xenial/Yakkety are at 2.4.42.

If possible, it would be useful to know if this can be reproduced on Xenial or Yakkety; or if it's only on the older releases (Trusty and Precise would be affected).

Changed in openldap (Ubuntu):
status: New → Incomplete
Revision history for this message
Kartik Subbarao (subbarao) wrote :

Hi Ryan,

Thanks for looking into this. Unfortunately I don't have much to add to my earlier response in this thread. Here are the only kerberos-related types of lines that I have in slapd.conf:

authz-regexp
    uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth
    ldap:///dc=example,dc=com??sub?(exampleKrb5PrincipalName=$1@$2)
sasl-realm EXAMPLE.COM
sasl-secprops minssf=0

As I mentioned before, I do have an /etc/krb5.keytab. ldapwhoami -Y GSSAPI works fine. I don't know precisely how slapd ends up using kcm. slapd is linked with libheimbase.so.1, so presumably it ends up calling some heimdal library function that ends up accessing that socket.

Revision history for this message
Ryan Harper (raharper) wrote : Re: [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

Do you have a specific guide or sequence you followed?

1. apt-get install slapd krb5* heimdal-kdc .. etc?

And then the various config changes applied?

I'll keep digging.

On Wed, Jul 20, 2016 at 11:31 AM, Kartik Subbarao <email address hidden>
wrote:

> Hi Ryan,
>
> Thanks for looking into this. Unfortunately I don't have much to add to
> my earlier response in this thread. Here are the only kerberos-related
> types of lines that I have in slapd.conf:
>
> authz-regexp
> uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth
> ldap:///dc=example,dc=com??sub?(exampleKrb5PrincipalName=$1@$2)
> sasl-realm EXAMPLE.COM
> sasl-secprops minssf=0
>
> As I mentioned before, I do have an /etc/krb5.keytab. ldapwhoami -Y
> GSSAPI works fine. I don't know precisely how slapd ends up using kcm.
> slapd is linked with libheimbase.so.1, so presumably it ends up calling
> some heimdal library function that ends up accessing that socket.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1472639
>
> Title:
> apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions
>

Revision history for this message
Kartik Subbarao (subbarao) wrote :

Not really -- in this case, all of the packages are pretty much installed at the same time with automated processes.

In #1 above, Ryan Tandy mentions seeing these error messages too -- so I assumed this was a fairly common sort of occurrence.

I've been working around this issue by adding a line to /etc/apparmor.d/local/usr.sbin.slapd, and I'm okay with this workaround. I guess I was assuming that the fix would be a simple patch to /etc/apparmor.d/usr.sbin/slapd to permit the socket (i.e. assuming that Kerberos is fairly standard and it seems reasonable to allow a process like slapd to access the socket if it has permissions to do so).

Given the amount of complexity that now seems to be involved, I'm reluctant to (even implicitly) ask you guys to spend more time on this. Feel free to pursue this as you want, but definitely don't feel any pressure on my account.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
this bug was dormant for a long time.
We have to face it that due to the complexity, the lack of an (easy) recreation and the fact that there is a workaround via modifying the apparmor profiles likely nothing gets changed - unless somebody in the community steps up and does so.

Yet as I read from Kartik, that is somewhat ok for now.

I bed your pardon, sometimes not being able to fix all bugs is a hard truth that makes me sad :-/
I'm happy that you are kind of ok with it in this case.

Revision history for this message
Kartik Subbarao (subbarao) wrote :

No worries Christian. As far as issues caused by unpredictable complex interactions go, this one is fairly benign :-) I'm fine with the workaround -- it's just one more line that gets programmatically added to a config file that has to be customized anyway. And who knows, it may well have been resolved by now in newer versions of openldap and kerberos.

In any case, I appreciate your empathy -- if only I could channel it to the maintainers of other software where I've reported bugs that are far more painful to deal with :-)

Revision history for this message
Kartik Subbarao (subbarao) wrote :

While working on something else recently, I got a hunch for what might have been happening here. I had configured syncrepl on this server to use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In this role, slapd ignores the keytab file and behaves like an ordinary GSSAPI client. It just calls whatever GSSAPI functions provided by the available library. I'm guessing that library consulted /run/.heim_org.h5l.kcm-socket as one of the places to check for cached credentials.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Hi Kartik,

Are you still facing this issue? Which Ubuntu release are you using? Do you have the steps to reproduce the failure now?

TIA!

Changed in openldap (Ubuntu):
assignee: Ryan Harper (raharper) → nobody
Revision history for this message
Kartik Subbarao (subbarao) wrote :

Hi Lucas, I'm not running that version of slapd or Ubuntu anymore. I've long since added the local customization to /etc/apparmor.d/local/usr.sbin.slapd which made the problem go away. It's possible that this workaround isn't needed anymore, I haven't tested that.

I just thought I'd share the idea that came to mind in case it might be of interest to anyone who worked on this issue or who might otherwise be interested.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]

Changed in openldap (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.