#1298 Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()
Closed: Fixed None Opened 11 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=811518 (Fedora)

If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks
krb5_get_init_creds_keytab() to canonicalize principals. This can change the
client principal. When writing out the credential cache, we should use this
changed principal, and not the original one.

Failure to do this results in errors when LDAP tries to use the credential
cache:

[19310] 1334138369.931274: Initializing
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default princ
STEF-DESKTOP$@AD.THEWALTER.LAN
[19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN in
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv]
(0x0400): Child responded: 0
[FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on
[1334174369]
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: GSSAPI, user: (null)
[18211] 1334138369.946687: ccselect can't find appropriate cache for server
principal ldap/dc.ad.thewalter.lan@
[18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN
-> ldap/dc.ad.thewalter.lan@ using ccache
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@ from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN with result: -1765328243/Matching
credential not found
[18211] 1334138369.946836: Server has referral realm; starting with
ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN
[18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]

This is because the default principal in the credential cache does not match
any of the credentials:

[root@stef-desktop data]# klist
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN

Valid starting     Expires            Service principal
04/11/12 12:01:01  04/11/12 22:00:48  krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN
        for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12
12:01:01

Note the difference in capitalization.

This bug is present in SSSD git master.

Will attach simple patch which fixes the problem. An alternate patch would be
to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the
credential cache in sssd code.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.0
tests: => 0
testsupdated: => 0
upgrade: => 0

Fixed by 4d1a261

component: SSSD => Kerberos Provider
owner: somebody => stefw
version: => master

Fields changed

resolution: => fixed
status: new => closed

Fields changed

milestone: SSSD 1.9.0 => SSSD 1.9.0 beta 1

Metadata Update from @dpal:
- Issue assigned to stefw
- Issue set to the milestone: SSSD 1.9.0 beta 1

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2340

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata