Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=811518 (Fedora)
If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache: [19310] 1334138369.931274: Initializing FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default princ STEF-DESKTOP$@AD.THEWALTER.LAN [19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN in FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on [1334174369] (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [18211] 1334138369.946687: ccselect can't find appropriate cache for server principal ldap/dc.ad.thewalter.lan@ [18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946836: Server has referral realm; starting with ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN [18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] This is because the default principal in the credential cache does not match any of the credentials: [root@stef-desktop data]# klist FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN Valid starting Expires Service principal 04/11/12 12:01:01 04/11/12 22:00:48 krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12 12:01:01 Note the difference in capitalization. This bug is present in SSSD git master. Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code.
Fields changed
blockedby: => blocking: => coverity: => feature_milestone: => milestone: NEEDS_TRIAGE => SSSD 1.9.0 tests: => 0 testsupdated: => 0 upgrade: => 0
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=811984
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518] => [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518], [https://bugzilla.redhat.com/show_bug.cgi?id=811984 811984]
Fixed by 4d1a261
component: SSSD => Kerberos Provider owner: somebody => stefw version: => master
resolution: => fixed status: new => closed
milestone: SSSD 1.9.0 => SSSD 1.9.0 beta 1
Also backported to 1.8.x - e413168
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=838566 (Red Hat Enterprise Linux 6)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518], [https://bugzilla.redhat.com/show_bug.cgi?id=811984 811984] => [https://bugzilla.redhat.com/show_bug.cgi?id=811518 811518], [https://bugzilla.redhat.com/show_bug.cgi?id=811984 811984], [https://bugzilla.redhat.com/show_bug.cgi?id=838566 838566]
Metadata Update from @dpal: - Issue assigned to stefw - Issue set to the milestone: SSSD 1.9.0 beta 1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2340
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.