#1298 Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()

Created 5 years ago by dpal
Modified 6 months ago

https://bugzilla.redhat.com/show_bug.cgi?id=811518 (Fedora)

If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks
krb5_get_init_creds_keytab() to canonicalize principals. This can change the
client principal. When writing out the credential cache, we should use this
changed principal, and not the original one.

Failure to do this results in errors when LDAP tries to use the credential
cache:

[19310] 1334138369.931274: Initializing
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default princ
STEF-DESKTOP$@AD.THEWALTER.LAN
[19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN in
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv]
(0x0400): Child responded: 0
[FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on
[1334174369]
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: GSSAPI, user: (null)
[18211] 1334138369.946687: ccselect can't find appropriate cache for server
principal ldap/dc.ad.thewalter.lan@
[18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN
-> ldap/dc.ad.thewalter.lan@ using ccache
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@ from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN with result: -1765328243/Matching
credential not found
[18211] 1334138369.946836: Server has referral realm; starting with
ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN
[18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]

This is because the default principal in the credential cache does not match
any of the credentials:

[root@stef-desktop data]# klist
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN

Valid starting     Expires            Service principal
04/11/12 12:01:01  04/11/12 22:00:48  krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN
        for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12
12:01:01

Note the difference in capitalization.

This bug is present in SSSD git master.

Will attach simple patch which fixes the problem. An alternate patch would be
to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the
credential cache in sssd code.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.0
tests: => 0
testsupdated: => 0
upgrade: => 0

Fixed by 4d1a261202d828efc84e3a84d16c30548f29f76d

component: SSSD => Kerberos Provider
owner: somebody => stefw
version: => master

Fields changed

resolution: => fixed
status: new => closed

Fields changed

milestone: SSSD 1.9.0 => SSSD 1.9.0 beta 1

Also backported to 1.8.x
- e413168d70c3ac08dc367d9889076e3f32701221

6 months ago

Metadata Update from @dpal:
- Issue assigned to stefw
- Issue set to the milestone: SSSD 1.9.0 beta 1

Login to comment on this ticket.

defect

Kerberos Provider

master

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=811518, https://bugzilla.redhat.com/show_bug.cgi?id=811984, https://bugzilla.redhat.com/show_bug.cgi?id=838566

cancel