Ticket #1298 (closed defect: fixed)

Opened 2 years ago

Last modified 22 months ago

Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()

Reported by: dpal Owned by: stefw
Priority: major Milestone: SSSD 1.9.0 beta 1
Component: Kerberos Provider Version: master
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 811518, 811984, 838566
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

https://bugzilla.redhat.com/show_bug.cgi?id=811518 (Fedora)

If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks
krb5_get_init_creds_keytab() to canonicalize principals. This can change the
client principal. When writing out the credential cache, we should use this
changed principal, and not the original one.

Failure to do this results in errors when LDAP tries to use the credential
cache:

[19310] 1334138369.931274: Initializing
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default princ
STEF-DESKTOP$@AD.THEWALTER.LAN
[19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN in
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv]
(0x0400): Child responded: 0
[FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on
[1334174369]
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: GSSAPI, user: (null)
[18211] 1334138369.946687: ccselect can't find appropriate cache for server
principal ldap/dc.ad.thewalter.lan@
[18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN
-> ldap/dc.ad.thewalter.lan@ using ccache
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@ from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN with result: -1765328243/Matching
credential not found
[18211] 1334138369.946836: Server has referral realm; starting with
ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN
[18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]

This is because the default principal in the credential cache does not match
any of the credentials:

[root@stef-desktop data]# klist
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN

Valid starting     Expires            Service principal
04/11/12 12:01:01  04/11/12 22:00:48  krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN
        for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12
12:01:01

Note the difference in capitalization.

This bug is present in SSSD git master.

Will attach simple patch which fixes the problem. An alternate patch would be
to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the
credential cache in sssd code.

Change History

comment:1 Changed 2 years ago by dpal

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.9.0
  • Tests Updated unset
  • tests set to 0
  • upgrade set to 0

comment:2 Changed 2 years ago by dpal

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518] to [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518], [https://bugzilla.redhat.com/show_bug.cgi?id=811984 811984]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=811984

comment:3 Changed 2 years ago by sgallagh

  • Component changed from SSSD to Kerberos Provider
  • Version set to master
  • Owner changed from somebody to stefw

comment:4 Changed 2 years ago by sgallagh

  • Resolution set to fixed
  • Status changed from new to closed

comment:5 Changed 2 years ago by sgallagh

  • Milestone changed from SSSD 1.9.0 to SSSD 1.9.0 beta 1

comment:6 Changed 2 years ago by sgallagh

Also backported to 1.8.x

comment:7 Changed 22 months ago by sgallagh

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518], [https://bugzilla.redhat.com/show_bug.cgi?id=811984 811984] to [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518], [https://bugzilla.redhat.com/show_bug.cgi?id=811984 811984], [https://bugzilla.redhat.com/show_bug.cgi?id=838566 838566]

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=838566 (Red Hat Enterprise Linux 6)

Note: See TracTickets for help on using tickets.