Re: [Freeipa-users] FreeOTP

[Winfried de Heiden]

Hi all, I agree on it's look like a 32 bit issue. Trying to reproduce on Fedora 64 bit; no problems Trying to reproduce on Fedora 23 32 bit (x886): [root@freeipa ~]# journalctl -l -u ipa-otpd@0-6397-0.service -- Logs begin at vr 2016-06-10 09:23:33 CEST, end at vr 2016-06-10 10:53:28 CEST. -- jun 10 10:53:27 freeipa.local.lan systemd[1]: Started ipa-otpd service (PID 6397/UID 0). jun 10 10:53:27 freeipa.local.lan systemd[1]: Starting ipa-otpd service (PID 6397/UID 0)... jun 10 10:53:27 freeipa.local.lan ipa-otpd[7320]: LDAP: ldapi://%2fvar%2frun%2fslapd-LOCAL-LAN.socket jun 10 10:53:28 freeipa.local.lan ipa-otpd[7320]: otpu...@local.lan: request received jun 10 10:53:28 freeipa.local.lan ipa-otpd[7320]: otpu...@local.lan: user query start jun 10 10:53:28 freeipa.local.lan ipa-otpd[7320]: otpu...@local.lan: user query end: uid=otpuser,cn=users,cn=accounts,dc=local,dc=lan jun 10 10:53:28 freeipa.local.lan ipa-otpd[7320]: otpu...@local.lan: bind start: uid=otpuser,cn=users,cn=accounts,dc=local,dc=lan jun 10 10:53:28 freeipa.local.lan ipa-otpd[7320]: otpu...@local.lan: bind end: success jun 10 10:53:28 freeipa.local.lan ipa-otpd[7320]: otpu...@local.lan: response sent: Access-Accept jun 10 10:53:28 freeipa.local.lan ipa-otpd[7320]: stdio.c:073: Connection reset by peer: Error receiving packet jun 10 10:53:28 freeipa.local.lan systemd[1]: ipa-otpd@0-6397-0.service: Main process exited, code=exited, status=1/FAILURE jun 10 10:53:28 freeipa.local.lan systemd[1]: ipa-otpd@0-6397-0.service: Unit entered failed state. jun 10 10:53:28 freeipa.local.lan systemd[1]: ipa-otpd@0-6397-0.service: Failed with result 'exit-code'. Same error as on Fedora ARM which is also 32 bit. Removing libverto-tevent doesn't work. Cheers you all! Winny Op 09-06-16 om 18:51 schreef Sumit Bose: On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote: On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: Hi all, I can install libvert-libev but removing libverto-tevent will remove 123 dependencies also. (wget, tomcat and much more...) Hence, I installed libverto-libev, but dit not remove libverto- tevent to give it a try. After ipactl restart still the same problem: fyi, I think I can reproduce the issue on 32bit Fedora. I tried libverto-libev as well but I removed libverto-tevent after installing libverto-libev with 'rpm -e --nodeps ....' to make sure libverto has no other chance. So it looks a bit like a libverto 32bit issue. I used libverto-0.2.6-4.fc22. Since I knew that is was working before on 32bits I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock. Nathaniel, do you have any suggestions what to check with gdb? It may not be a libverto issue at all. Just to summarize, krb5kdc sends the otp request to ipa-otpd using RADIUS-over-UNIX-socket. It appears that ipa-otpd receives the request and sends the appropriate response. However, krb5kdc never appears to receive the request and times out. Once it times out, it closes the socket and ipa-otpd exits. The question is: why? This could be a bug in krb5kdc, libkrad or libverto. Does the event actually fire from libverto? Does libkrad process it correctly? Does krb5kdc process it correctly? There are lots of places to attach gdb. I would probably start here: https://github.com/krb5/krb5/blob/master/src/lib/krad/client.c#L193 It looks like the 3rd argument of recv(), the buffer length, becomes negative aka very big in on_io_read() i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, pktlen - rr->buffer.length, 0); because pktlen is 4 and rr->buffer.length is 16 on my 32bit system. I wonder if pktlen isn't sufficient here because it already is the result of 'len - buffer->length' which is calculated in krad_packet_bytes_needed() ? bye, Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project