#9267 Unconditionally adding 'includedir /var/lib/sss/pubconf/krb5.include.d' to /etc/krb5.conf break Java's ability to parse krb5.conf
Closed: fixed 11 months ago by frenaud. Opened a year ago by yrro.

Issue

ipa-client-install adds the following to /etc/krb5.conf:

includedir /var/lib/sss/pubconf/krb5.include.d/

Some time since I ran ipa-client-install on my (Debian) machine, sssd-krb5 started shipping this config file:

$ cat /etc/krb5.conf.d/enable_sssd_conf_dir
# This file should normally be installed by your distribution into a
# directory that is included from the Kerberos configuration file (/etc/krb5.conf)
# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/

So the net effect is that the same directory is included twice. This is harmless for most applications but the JVM implements its own parsing of krb5.conf & it refuses to parse the file if the same file is included twice. The code that does so is here: https://github.com/openjdk/shenandoah/blob/998f68b26b8d2a5178a30a6c5b596194961e3821/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L595

So, on systems where there is already an includedir /var/lib/sss/pubconf/krb5.include.d directive in any of the files included by /etc/krb5.conf, ipa-client-install shouldn't add its own includedir /var/lib/sss/pubconf/krb5.include.d directive to /etc/krb5.conf.

I have no idea what to do with upgrades. Probably have a post-install script check if includedir /var/lib/sss/pubconf/krb5.include.d is present twice and remove it from /etc/krb5.conf if so?

Steps to Reproduce

  1. Run ipa-client-install
  2. Create /etc/krb5.conf.d/enable_sssd_conf_dir with above contents if not already present
  3. Download Apache Directory Studio
  4. Edit ApacheDirectoryStudio.ini, add the line -Dsun.security.krb5.debug=true
  5. Run Apache Directory Studio from a terminal, add an LDAP server, configure it to use GSSAPI for authentication
  6. Press the Check Authentication button in the connection editor (Authentication tab)
  7. Observe the following logged to the terminal:
Java config name: null
Native config name: /etc/krb5.conf
Loading krb5 profile at /etc/krb5.conf
Loading krb5 profile at /etc/krb5.conf.d/freeipa
Loading krb5 profile at /etc/krb5.conf.d/enable_sssd_conf_dir
Loading krb5 profile at /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com
Loading krb5 profile at /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
Loading krb5 profile at /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
Loading krb5 profile at /etc/krb5.conf.d/kcm_default_ccache
Loading krb5 profile at /etc/krb5.conf.d/debian
Loading krb5 profile at /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com
Exception thrown in loading config:
java.io.IOException: Profile path included more than once
    at java.security.jgss/sun.security.krb5.Config.readConfigFileLines(Config.java:596)
    at java.security.jgss/sun.security.krb5.Config.readConfigFileLines(Config.java:623)
    at java.security.jgss/sun.security.krb5.Config$1.run(Config.java:694)
    at java.security.jgss/sun.security.krb5.Config$1.run(Config.java:685)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:891)
    at java.security.jgss/sun.security.krb5.Config.loadConfigFile(Config.java:684)
    at java.security.jgss/sun.security.krb5.Config.<init>(Config.java:235)
    at java.security.jgss/sun.security.krb5.Config.refresh(Config.java:152)
    at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:533)
    at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
    at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
    at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:2208)
    at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:2031)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:474)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1261)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:488)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:323)
    at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
    at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)

Actual behavior

JGSS throws a krb5.conf loading failed exception; the reason for the exception being thrown is only printed when the JVM is run with -Dsun.security.krb5.debug=true: https://github.com/openjdk/shenandoah/blob/998f68b26b8d2a5178a30a6c5b596194961e3821/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L246

Expected behavior

No exception thrown

Version/Release/Distribution

Debian testing/unstable

ii freeipa-client 4.9.8-1+b3 amd64 FreeIPA centralized identity framework -- client
ii sssd-krb5 2.7.4-2~1.gbpd8bee8 amd64 System Security Services Daemon -- Kerberos back end

Additional info:

Let's mutter a quiet curse that the JVM implements its own krb5.conf parsing and that it
does so in a way that is not compatible with MIT Kerberos. :)


Pull request that implements skipping this modification is welcome!

I checked how many places we have for that:

$ git grep includedir
freeipa.spec.in:            echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
install/share/krb5.conf.template:includedir /var/lib/sss/pubconf/krb5.include.d/
ipaclient/install/client.py:                'name': 'includedir',
ipaclient/install/client.py:                'name': 'includedir',
ipaserver/install/krbinstance.py:            includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)

A simple one would be to remove it from the krb5.conf template but that is not enough. ;)

On my F37 system /etc/krb5.conf.d/enable_sssd_conf_dir comes with sssd-krb5-2.8.0-1.fc37. The change that added the snippet comes with sssd 2.6.2 or later:

$ git tag --contains 2a3035d30adf81cee05add8f6142f1d85d553909
2.6.2
2.6.3
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.8.0

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2188567

11 months ago

master:

  • a83ae63 Drop duplicate includedir from krb5.conf

ipa-4-9:

  • fe22e7d Drop duplicate includedir from krb5.conf

ipa-4-10:

  • bdb77a3 Drop duplicate includedir from krb5.conf

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

11 months ago

master:

  • d7a27a2 ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not included in krb5.conf

ipa-4-9:

  • 1b51fa4 ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not included in krb5.conf

ipa-4-10:

  • 8d34f45 ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not included in krb5.conf

Login to comment on this ticket.

Metadata