aklog needs to be included in tests

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

aklog needs to be included in tests

Ted Creedon
./configure --with-berkeley-db  --with-x  --enable-pthread-support --enable-kcm

compiles & passes make check on SUSE Leap 4.2

However the -aklog switch isn't working.

Cab someone verify  the specifiv krb5.conf swirches to enable afskog?

I have 7.0.1 up  in IBM's eclipse IDE which seems to work fine

tedc
________________________________________
From: Heimdal-discuss <[hidden email]> on behalf of [hidden email] <[hidden email]>
Sent: Thursday, December 29, 2016 1:10 AM
To: [hidden email]
Subject: Heimdal-discuss Digest, Vol 8, Issue 10

Send Heimdal-discuss mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.h5l.org/mailman/listinfo/heimdal-discuss
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Heimdal-discuss digest..."


Today's Topics:

   1. Re: Heimdal 7.1 and the sqlite backend (Harald Barth)
   2. Re: Heimdal 7.1 no success with database backend (sqlite and
      others) (Harald Barth)
   3. KDC tests fail when unrelated ticket with time skew is at the
      default location (Harald Barth)
   4. Re: KDC tests fail when unrelated ticket with time skew is at
      the default location (Ken Dreyer)
   5. Re: KDC tests fail when unrelated ticket with time skew is at
      the default location (Harald Barth)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Dec 2016 14:17:01 +0100 (CET)
From: Harald Barth <[hidden email]>
To: [hidden email]
Cc: [hidden email]
Subject: Re: Heimdal 7.1 and the sqlite backend
Message-ID:
        <[hidden email]>
Content-Type: Text/Plain; charset=us-ascii


> So, in /etc/krb5.conf you should have this:
>
> [hdb]
>     db-dir = /var/heimdal
>
> (or wherever you put your HDB)

Sure, and then it gets more and more confusing. I now start the
kdc and the kadmin with -c /etc/krb5.conf and have a symlink
in /var/heimdal/kdc.conf pointing to /etc/krb5.conf.

# /usr/heimdal-7.1.0/libexec/kdc  -c /etc/krb5.conf&
[1] 80459
# /usr/heimdal-7.1.0/bin/kadmin -l -c /etc/krb5.conf
kadmin> get *
kadmin: opening database: dbm_open(/var/heimdal/heimdal): No such file or directory
kadmin: kadm5_get_principals: dbm_open(/var/heimdal/heimdal): No such file or directory
kadmin> init TEST.PDC.KTH.SE
kadmin: hdb_open: hdb_open: failed initialize database /var/heimdal/heimdal
kadmin>

So kadmin is sure doing the wrong thing here

# cat /etc/krb5.conf
[hdb]
  db-dir = /var/heimdal
  dbname = sqlite:/var/heimdal/mydb.sqlite
[kdc]
 database = {
    dbname = sqlite:/var/heimdal/mydb.sqlite
    realm = TEST.PDC.KTH.SE
 }
 require_preauth = true
 enable-http = true
 tgt-use-strongest-session-key = true
 svc-use-strongest-session-key = true
 preauth-use-strongest-session-key = true
 use-strongest-server-key = true
 kdc_warn_pwexpire = 1w
[logging]
 kdc = 0-/FILE:/var/heimdal/kdc.log
 kdc = 0-/SYSLOG:INFO:USER
 default = 0-/FILE:/var/log/heimdal.log

Then I get the following logging from the kdc startup:

2016-12-28T13:57:20 label: default
2016-12-28T13:57:20     dbname: sqlite:/var/heimdal/mydb.sqlite
2016-12-28T13:57:20     mkey_file: sqlite:/var/heimdal/mydb.mkey
2016-12-28T13:57:20     acl_file: /var/heimdal/kadmind.acl

So the problem seems to be that I can not convince kadmin to open the
same database because I don't know what to write in the krb5.conf
to make that happen. I can verify with ktrace that /etc/krb5.conf
(see above) actually is read but then what logic is applied when
parsing - I have not found out how to follow that.

Harald.


------------------------------

Message: 2
Date: Wed, 28 Dec 2016 17:13:48 +0100 (CET)
From: Harald Barth <[hidden email]>
To: [hidden email]
Subject: Re: Heimdal 7.1 no success with database backend (sqlite and
        others)
Message-ID:
        <[hidden email]>
Content-Type: Text/Plain; charset=us-ascii


Well, not even when I unconfigure sqlite support it does not pass make check.

Error message: "kadmin: No database support for /var/heimdal/heimdal"

So I suspect that with

#  ./configure --with-libintl --with-libintl-include=/usr/local/include --with-libintl-lib=/usr/local/lib --prefix=/usr/heimdal-7.1.0-lmdb --disable-kcm --with-openssl --with-openssl-include=/usr/include --with-openssl-lib=/usr/lib --disable-otp --enable-pthread-support --with-readline=/usr/local --with-hdbdir=/var/heimdal --without-berkeley-db --enable-digest --with-ipv6 --enable-kx509 --without-openldap --enable-pk-init --without-sqlite3 --with-x --x-libraries=/usr/local/lib --x-includes=/usr/local/include --localstatedir=/var --disable-silent-rules --disable-ndbm-db --enable-mdb-db "CFLAGS=-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath -Wl,/usr/local/lib -lintl"

it does produce some kind of broken hdb library that will not pass
make check, at least not om FreeBSD11 :-(

I'll continue in the search for a configure line that actually makes
something that passes make check to start with.

Harald.




------------------------------

Message: 3
Date: Wed, 28 Dec 2016 20:48:46 +0100 (CET)
From: Harald Barth <[hidden email]>
To: [hidden email]
Subject: KDC tests fail when unrelated ticket with time skew is at the
        default location
Message-ID:
        <[hidden email]>
Content-Type: Text/Plain; charset=us-ascii


If there is an unrelated ticket with time skew at the default location

# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: [hidden email]
    Cache version: 4
  KDC time offset: -23 minutes 22 seconds

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 328
Auth time:  Dec 22 13:33:51 2016
End time:   Dec 29 13:33:51 2016
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless

the following tests fail for that reason (shouldn't the tests be
independent of such stuff like unrelated old tickets?)

FAIL: check-kdc
FAIL: check-kdc-weak

When I remove the offending ticket:

PASS: check-kdc
PASS: check-kdc-weak

Now I "only" have to find the reason why these still fail in the kdc tests:

FAIL: check-pkinit
FAIL: check-iprop

Harald.



------------------------------

Message: 4
Date: Wed, 28 Dec 2016 17:35:40 -0700
From: Ken Dreyer <[hidden email]>
To: Harald Barth <[hidden email]>
Cc: [hidden email]
Subject: Re: KDC tests fail when unrelated ticket with time skew is at
        the default location
Message-ID:
        <CAD3FbMWFpgCcT67Gtfw4zdL+Tf84v4=[hidden email]>
Content-Type: text/plain; charset=UTF-8

On Wed, Dec 28, 2016 at 12:48 PM, Harald Barth <[hidden email]> wrote:
> the following tests fail for that reason (shouldn't the tests be
> independent of such stuff like unrelated old tickets?)

It would be nice to use EXAMPLE.ORG realms or something that will
never resolve to a real realm.

> Now I "only" have to find the reason why these still fail in the kdc tests:
>
> FAIL: check-pkinit
> FAIL: check-iprop

Typically the build system leaves some logs behind during "make check"
in each test directory (eg tests/kdc/test-suite.log). You can look
through the tests/kdc code and identify what exact command fails, then
run that command by hand to get more details (is it a crash?)

- Ken


------------------------------

Message: 5
Date: Thu, 29 Dec 2016 10:10:22 +0100 (CET)
From: Harald Barth <[hidden email]>
To: [hidden email]
Cc: [hidden email]
Subject: Re: KDC tests fail when unrelated ticket with time skew is at
        the default location
Message-ID:
        <[hidden email]>
Content-Type: Text/Plain; charset=us-ascii

> It would be nice to use EXAMPLE.ORG realms or something that will
> never resolve to a real realm.

It _does_ use a test realm, but the test never the less is disturbed
by a completely unrelated ticket at the default ticket location. That
is a bug in the testing framework or in some utility which does not
obide setting KRB5CCNAME and looks at other locations anyway.

> Typically the build system leaves some logs behind during "make check"
> in each test directory (eg tests/kdc/test-suite.log).

Yesss, thanks, now next workday and now I continue the hunt for bugs with
new coffee and bash -x.

>> FAIL: check-pkinit

This seems to be one more bug in the test-suite. What I get is

+ /usr/local/src/heimdal-7.1.0-build-lmdb/kuser/kinit -c FILE:../../tests/kdc/c\
ache.krb5 --no-afslog -C PKCS11:../../tests/kdc/../../lib/hx509/.libs/libhx509.\
so [hidden email]
kinit: Password incorrect

Which is from check-pkinit around these lines:

for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
    if [ -f $dir/$a ] ; then
        file=$dir/$a
        break
    fi
done

if [ X"$file" != X -a true ] ; then

    echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
    ${kinit} -C PKCS11:${file} foo@${R} || \
        { ec=1 ; eval "${testfailed}"; }
    ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
    ${kdestroy}

fi

The "-C PKCS11:${file}" seems broken. I guess the -C flag should take
a cert and not a library as an argument. BTW, the -C flag is not
documented in the kinit manual page and it would be good if the messages
"Trying..." would be unique.

>> FAIL: check-iprop

This error was due to wc not being compatible between Linux and FreeBSD:

linux$ echo foo | wc -l
1
freebsd$ echo foo | wc -l
       1

Note the extra spaces which blow up in the following expr which
can not handle that.

Patch:

--- check-iprop.in.orig 2016-12-29 10:25:05.379171000 +0100
+++ check-iprop.in      2016-12-29 10:25:47.205435000 +0100
@@ -384,7 +384,7 @@
     # and LMDB levels.
     #
     echo "checking that principals in DB == entries in LMDB"
-    princs=`${kadmin} -l list '*' | wc -l`
+    princs=`${kadmin} -l list '*' | wc -l | awk '{print $1}'`
     entries=`mdb_stat -n current-db.mdb | grep 'Entries:' | awk '{print $2}'`
     [ "`expr 1 + "$princs"`" -eq "$entries" ] || exit 1
 fi

I think it's OK to use awk to get rid of the whitespace as awk already
is used in the script. Other alternative to get rid of spaces would
be

+   set `${kadmin} -l list '*' | wc -l`
+   princs=$1

Now back to testing different database backends,
Harald.



------------------------------

Subject: Digest Footer

_______________________________________________
Heimdal-discuss mailing list
[hidden email]
https://www.h5l.org/mailman/listinfo/heimdal-discuss


------------------------------

End of Heimdal-discuss Digest, Vol 8, Issue 10
**********************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: aklog needs to be included in tests

Jeffrey Altman-2
On 12/29/2016 1:56 PM, Ted Creedon wrote:
> ./configure --with-berkeley-db  --with-x  --enable-pthread-support --enable-kcm
>
> compiles & passes make check on SUSE Leap 4.2
>
> However the -aklog switch isn't working.

There is no -aklog switch.   I suspect you mean -afslog.
>
> Cab someone verify  the specifiv krb5.conf swirches to enable afskog?

I sent a summary of the options in response to your query on the OpenAFS
mailing list.


As for adding "kinit -afslog" support to the test suite, that is hard
because AFS should not be a requirement for building and testing Heimdal.

The Heimdal afs functionality is fragile.  Perhaps it should be replaced
with executing aklog as a child process.  That approach has the
following benefits:

1. Heimdal developers do not need to maintain AFS specific code that
   they cannot easily test.

2. The tokens that are obtained will match those that the installed
   AFS client can support

3. It will work on operating systems such as Windows which do not use
   the pioctl interface that Heimdal carries support for.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Loading...