[Freeipa-users] FreeOTP

Thu Jun 23 18:22:28 UTC 2016

https://bodhi.fedoraproject.org/updates/FEDORA-2016-0b966047e1

Please test and provide your feedback.

On Wed, 2016-06-22 at 13:21 +0200, Winfried de Heiden wrote:
> Hi all,
> Great news, can't wait for it to be available in Fedora ARM en test.
> Winny
> 
> Op 21-06-16 om 22:23 schreef Nathaniel McCallum:
> > I have found and fixed what I believe to be the issue. I have
> > submitted
> > a patch upstream for review: https://github.com/krb5/krb5/pull/471
> > 
> > Once merged, we will backport the fix into all existing Fedora
> > releases. So you should get an update via a simple: dnf update.
> > 
> > On Thu, 2016-06-16 at 10:28 +0200, Winfried de Heiden wrote:
> > > Hi all,
> > > 
> > > "So it looks a bit like a libverto 32bit issue"; any news or
> > > progress
> > > on 
> > > this? Bugzilla?
> > > 
> > > Winny
> > > 
> > > 
> > > Op 09-06-16 om 18:51 schreef Sumit Bose:
> > > > On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum
> > > > wrote:
> > > > > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote:
> > > > > > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de
> > > > > > Heiden
> > > > > > wrote:
> > > > > > > Hi all,
> > > > > > > 
> > > > > > > I can install libvert-libev but removing libverto-tevent
> > > > > > > will
> > > > > > > remove 123
> > > > > > > dependencies also. (wget, tomcat and much more...)
> > > > > > > 
> > > > > > > Hence, I installed libverto-libev, but dit not remove
> > > > > > > libverto-
> > > > > > > tevent to give
> > > > > > > it a try. After ipactl restart still the same problem:
> > > > > > fyi, I think I can reproduce the issue on 32bit Fedora. I
> > > > > > tried
> > > > > > libverto-libev as well but I removed libverto-tevent after
> > > > > > installing
> > > > > > libverto-libev with 'rpm -e --nodeps ....' to make sure
> > > > > > libverto has
> > > > > > no
> > > > > > other chance.
> > > > > > 
> > > > > > So it looks a bit like a libverto 32bit issue. I used
> > > > > > libverto-0.2.6-4.fc22. Since I knew that is was working
> > > > > > before
> > > > > > on
> > > > > > 32bits
> > > > > > I tried libverto-0.2.5 and libverto-0.2.4 as well with no
> > > > > > lock.
> > > > > > 
> > > > > > Nathaniel, do you have any suggestions what to check with
> > > > > > gdb?
> > > > > It may not be a libverto issue at all. Just to summarize,
> > > > > krb5kdc
> > > > > sends
> > > > > the otp request to ipa-otpd using RADIUS-over-UNIX-socket.
> > > > > 
> > > > > It appears that ipa-otpd receives the request and sends the
> > > > > appropriate
> > > > > response. However, krb5kdc never appears to receive the
> > > > > request
> > > > > and
> > > > > times out. Once it times out, it closes the socket and ipa-
> > > > > otpd
> > > > > exits.
> > > > > 
> > > > > The question is: why?
> > > > > 
> > > > > This could be a bug in krb5kdc, libkrad or libverto. Does the
> > > > > event
> > > > > actually fire from libverto? Does libkrad process it
> > > > > correctly?
> > > > > Does
> > > > > krb5kdc process it correctly?
> > > > > 
> > > > > There are lots of places to attach gdb. I would probably
> > > > > start
> > > > > here:
> > > > > https://github.com/krb5/krb5/blob/master/src/lib/krad/client.
> > > > > c#L1
> > > > > 93
> > > > It looks like the 3rd argument of recv(), the buffer length,
> > > > becomes
> > > > negative aka very big in on_io_read()
> > > > 
> > > >      i = recv(verto_get_fd(rr->io), rr->buffer.data + rr-
> > > > > buffer.length,
> > > >               pktlen - rr->buffer.length, 0);
> > > > 
> > > > because pktlen is 4 and rr->buffer.length is 16 on my 32bit
> > > > system.
> > > > I
> > > > wonder if pktlen isn't sufficient here because it already is
> > > > the
> > > > result
> > > > of 'len - buffer->length' which is calculated in
> > > > krad_packet_bytes_needed() ?
> > > > 
> > > > bye,
> > > > Sumit
> > > > 
>  