[Touch-packages] [Bug 2004560] Re: smbk5pwd test fails due to perms (FS and AppArmor)

Thu, 09 Mar 2023 13:26:41 -0800 

This bug was fixed in the package openldap - 2.6.3+dfsg-1~exp1ubuntu2

---------------
openldap (2.6.3+dfsg-1~exp1ubuntu2) lunar; urgency=medium

  * Build the passwd/sha2 contrib module with -fno-strict-aliasing to
    avoid computing an incorrect SHA256 hash with some versions of the
    compiler (LP: #2000817):
    - d/t/{control,sha2-contrib}: test to verify the SHA256 hash
      produced by passwd/sha2
    - d/rules: set -fno-strict-aliasing only when building the
      passwd/sha2 contrib module
  * d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the
    smbk5pwd DEP8 test (LP: #2004560)

 -- Andreas Hasenack <[email protected]>  Fri, 03 Feb 2023 09:33:14
-0300

** Changed in: openldap (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2004560

Title:
  smbk5pwd test fails due to perms (FS and AppArmor)

Status in openldap package in Ubuntu:
  Fix Released

Bug description:
  https://autopkgtest.ubuntu.com/packages/o/openldap/lunar/amd64

  autopkgtest [16:06:32]: test smbk5pwd: [-----------------------
  adding new entry "cn=samba,cn=schema,cn=config"

  SASL/EXTERNAL authentication started
  SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
  SASL SSF: 0
  SASL/EXTERNAL authentication started
  SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
  SASL SSF: 0
  adding new entry "cn=hdb,cn=schema,cn=config"

  SASL/EXTERNAL authentication started
  SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
  SASL SSF: 0
  modifying entry "cn=module{0},cn=config"

  adding new entry "olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config"

  ldap_add: Other (e.g., implementation specific) error (80)
        additional info: <olcSmbK5PwdEnable> handler exited with 1
  autopkgtest [16:06:33]: test smbk5pwd: -----------------------]
  autopkgtest [16:06:33]: test smbk5pwd:  - - - - - - - - - - results - - - - - 
- - - - -
  smbk5pwd             FAIL non-zero exit status 80

  I reproduced this in a container, and the failure is two-fold:

  a) /var/lib/heimdal-kdc/ is root:root 0700, and the slapd server needs
  FS read access to the key

  b) Then the slapd apparmor profile blocks it:
  [qui fev  2 09:54:02 2023] audit: type=1400 audit(1675342444.436:3242): 
apparmor="DENIED" operation="open" class="file" 
namespace="root//lxd-l-dep8_<var-snap-lxd-common-lxd>" 
profile="/usr/sbin/slapd" name="/var/lib/heimdal-kdc/m-key" pid=1161656 
comm="slapd" requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2004560/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to