KDC tests fail when unrelated ticket with time skew is at the default location

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

KDC tests fail when unrelated ticket with time skew is at the default location

Harald Barth-2

If there is an unrelated ticket with time skew at the default location

# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: [hidden email]
    Cache version: 4
  KDC time offset: -23 minutes 22 seconds

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 328
Auth time:  Dec 22 13:33:51 2016
End time:   Dec 29 13:33:51 2016
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless

the following tests fail for that reason (shouldn't the tests be
independent of such stuff like unrelated old tickets?)

FAIL: check-kdc
FAIL: check-kdc-weak

When I remove the offending ticket:

PASS: check-kdc
PASS: check-kdc-weak

Now I "only" have to find the reason why these still fail in the kdc tests:

FAIL: check-pkinit
FAIL: check-iprop

Harald.

Reply | Threaded
Open this post in threaded view
|

Re: KDC tests fail when unrelated ticket with time skew is at the default location

Ken Dreyer-2
On Wed, Dec 28, 2016 at 12:48 PM, Harald Barth <[hidden email]> wrote:
> the following tests fail for that reason (shouldn't the tests be
> independent of such stuff like unrelated old tickets?)

It would be nice to use EXAMPLE.ORG realms or something that will
never resolve to a real realm.

> Now I "only" have to find the reason why these still fail in the kdc tests:
>
> FAIL: check-pkinit
> FAIL: check-iprop

Typically the build system leaves some logs behind during "make check"
in each test directory (eg tests/kdc/test-suite.log). You can look
through the tests/kdc code and identify what exact command fails, then
run that command by hand to get more details (is it a crash?)

- Ken
Reply | Threaded
Open this post in threaded view
|

Re: KDC tests fail when unrelated ticket with time skew is at the default location

Harald Barth-2
> It would be nice to use EXAMPLE.ORG realms or something that will
> never resolve to a real realm.

It _does_ use a test realm, but the test never the less is disturbed
by a completely unrelated ticket at the default ticket location. That
is a bug in the testing framework or in some utility which does not
obide setting KRB5CCNAME and looks at other locations anyway.

> Typically the build system leaves some logs behind during "make check"
> in each test directory (eg tests/kdc/test-suite.log).

Yesss, thanks, now next workday and now I continue the hunt for bugs with
new coffee and bash -x.

>> FAIL: check-pkinit

This seems to be one more bug in the test-suite. What I get is

+ /usr/local/src/heimdal-7.1.0-build-lmdb/kuser/kinit -c FILE:../../tests/kdc/c\
ache.krb5 --no-afslog -C PKCS11:../../tests/kdc/../../lib/hx509/.libs/libhx509.\
so [hidden email]
kinit: Password incorrect

Which is from check-pkinit around these lines:

for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
    if [ -f $dir/$a ] ; then
        file=$dir/$a
        break
    fi
done

if [ X"$file" != X -a true ] ; then

    echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
    ${kinit} -C PKCS11:${file} foo@${R} || \
        { ec=1 ; eval "${testfailed}"; }
    ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
    ${kdestroy}

fi

The "-C PKCS11:${file}" seems broken. I guess the -C flag should take
a cert and not a library as an argument. BTW, the -C flag is not
documented in the kinit manual page and it would be good if the messages
"Trying..." would be unique.

>> FAIL: check-iprop

This error was due to wc not being compatible between Linux and FreeBSD:

linux$ echo foo | wc -l
1
freebsd$ echo foo | wc -l
       1

Note the extra spaces which blow up in the following expr which
can not handle that.

Patch:

--- check-iprop.in.orig 2016-12-29 10:25:05.379171000 +0100
+++ check-iprop.in      2016-12-29 10:25:47.205435000 +0100
@@ -384,7 +384,7 @@
     # and LMDB levels.
     #
     echo "checking that principals in DB == entries in LMDB"
-    princs=`${kadmin} -l list '*' | wc -l`
+    princs=`${kadmin} -l list '*' | wc -l | awk '{print $1}'`
     entries=`mdb_stat -n current-db.mdb | grep 'Entries:' | awk '{print $2}'`
     [ "`expr 1 + "$princs"`" -eq "$entries" ] || exit 1
 fi

I think it's OK to use awk to get rid of the whitespace as awk already
is used in the script. Other alternative to get rid of spaces would
be

+   set `${kadmin} -l list '*' | wc -l`
+   princs=$1

Now back to testing different database backends,
Harald.