Bug 1026861
| Summary: | RHEL7 ipa krb5.conf.template update to support KEYRING default_ccache_name | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||||
| Component: | ipa | Assignee: | Martin Kosek <mkosek> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.0 | CC: | dhowells, dpal, nalin, nsoman, pviktori, rcritten, sgallagh, spoore, ssorce, svenkatr, tlavigne | ||||||
| Target Milestone: | beta | Flags: | nsoman:
needinfo+
|
||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | ipa-3.3.3-3.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-06-13 11:43:49 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1017806 | ||||||||
| Bug Blocks: | 991169 | ||||||||
| Attachments: |
|
||||||||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4013 Created attachment 819931 [details]
Candidate patch for review
I think the problem is in the UID check here in the kernel for where the requested UID isn't -1 (see the if-statement below with four uid_eq() calls in it):
long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
{
struct user_namespace *ns = current_user_ns();
key_ref_t dest_ref;
kuid_t uid;
long ret;
/* -1 indicates the current user */
if (_uid == (uid_t)-1) {
uid = current_uid();
} else {
uid = make_kuid(ns, _uid);
if (!uid_valid(uid))
return -EINVAL;
/* You can only see your own persistent cache if you're not
* sufficiently privileged.
*/
if (uid_eq(uid, current_uid()) &&
uid_eq(uid, current_suid()) &&
uid_eq(uid, current_euid()) &&
uid_eq(uid, current_fsuid()) &&
!ns_capable(ns, CAP_SETUID))
return -EPERM;
}
...
(In reply to David Howells from comment #17) > I think the problem is in the UID check here in the kernel for where the > requested UID isn't -1 (see the if-statement below with four uid_eq() calls > in it): > > long keyctl_get_persistent(uid_t _uid, key_serial_t destid) > { > struct user_namespace *ns = current_user_ns(); > key_ref_t dest_ref; > kuid_t uid; > long ret; > > /* -1 indicates the current user */ > if (_uid == (uid_t)-1) { > uid = current_uid(); > } else { > uid = make_kuid(ns, _uid); > if (!uid_valid(uid)) > return -EINVAL; > > /* You can only see your own persistent cache if you're not > * sufficiently privileged. > */ > if (uid_eq(uid, current_uid()) && > uid_eq(uid, current_suid()) && > uid_eq(uid, current_euid()) && > uid_eq(uid, current_fsuid()) && > !ns_capable(ns, CAP_SETUID)) > return -EPERM; > } > ... So is the bug in kernel? If yes should we reassign the ticket. Don't reassign it, please. This bug is for IPA. We'll reopen the kernel bugzilla that added this feature as FailedQA. Created attachment 820403 [details]
Kernel patch to fix get_persistent-by-specified-UID
Here's a patch to fix get_persistent in the kernel. The UID check when a UID was specified was wrong. This can be tested with:
keyctl get_persistent @p
keyctl get_persistent @p `id -u`
keyctl get_persistent @p 0
The first two should successfully print the same key ID. The third should do
the same if called by UID 0 or indicate Operation Not Permitted otherwise.
Ok, testing with the new kernel fix looks like we're back in business for root and non-root:
[root@cloud-qe-21 ~]# rpm -q ipa-server kernel
ipa-server-3.3.3-3.el7.x86_64
kernel-3.10.0-42.el7.x86_64
kernel-3.10.0-43.el7.kpq.x86_64
[root@cloud-qe-21 ~]# uname -a
Linux cloud-qe-21.testrelm.com 3.10.0-43.el7.kpq.x86_64 #1 SMP Wed Nov 6 15:24:52 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@cloud-qe-21 ~]# kinit admin
Password for admin:
[root@cloud-qe-21 ~]# ipa user-add testuser1 --first=f --last=l
----------------------
Added user "testuser1"
----------------------
User login: testuser1
First name: f
Last name: l
Full name: f l
Display name: f l
Initials: fl
Home directory: /home/testuser1
GECOS: f l
Login shell: /bin/sh
Kerberos principal: testuser1
Email address: testuser1
UID: 1913000003
GID: 1913000003
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@cloud-qe-21 ~]# ipa passwd testuser1
New Password:
Enter New Password again to verify:
---------------------------------------------
Changed password for "testuser1"
---------------------------------------------
[root@cloud-qe-21 ~]# kinit testuser1
Password for testuser1:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@cloud-qe-21 ~]# kdestroy
[root@cloud-qe-21 ~]# su - testuser1
Creating home directory for testuser1.
-sh-4.2$ klist
klist: No credentials cache found while retrieving principal name
-sh-4.2$ kinit
Password for testuser1:
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:1913000003
Default principal: testuser1
Valid starting Expires Service principal
11/06/2013 16:53:00 11/07/2013 16:52:57 krbtgt/TESTRELM.COM
-sh-4.2$ exit
logout
[root@cloud-qe-21 ~]# ssh testuser1@$(hostname)
testuser1.com's password:
Last login: Wed Nov 6 16:52:41 2013
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This System is part of the Red Hat Test System.
Please do not use this system for individual unit testing.
RHTS Test information:
HOSTNAME=cloud-qe-21.domain
JOBID=536476
RECIPEID=1118439
LAB_SERVER=
RESULT_SERVER=127.0.0.1:7081
DISTRO=RHEL-7.0-20131018.0
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
-sh-4.2$ id
uid=1913000003(testuser1) gid=1913000003(testuser1) groups=1913000003(testuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:1913000003
Default principal: testuser1
Valid starting Expires Service principal
11/06/2013 16:54:48 11/07/2013 16:54:48 krbtgt/TESTRELM.COM
-sh-4.2$ kdestroy
-sh-4.2$ kinit testuser1
Password for testuser1:
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:1913000003
Default principal: testuser1
Valid starting Expires Service principal
11/06/2013 16:55:04 11/07/2013 16:55:02 krbtgt/TESTRELM.COM
-sh-4.2$ kinit admin
Password for admin:
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:krb_ccache_IZ5lJbW
Default principal: admin
Valid starting Expires Service principal
11/06/2013 16:55:11 11/07/2013 16:55:09 krbtgt/TESTRELM.COM
-sh-4.2$ cat /proc/keys
05e24aab I--Q--- 4 perm 1f3f0000 1913000003 65534 keyring _uid.1913000003: empty
0a73d0ef I--Q--- 4 perm 3f030000 1913000003 1913000003 keyring _ses: 1
0fde5f13 I--Q--- 1 perm 1f3f0000 1913000003 65534 keyring _uid_ses.1913000003: 1
10e048e3 I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krbtgt/TESTRELM.COM: 480 [buff]
11b2fa7b I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 178 [buff]
13cf6e45 I--Q--- 13 perm 3f030000 1913000003 1913000003 keyring _ses: 1
14ea85dd I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 177 [buff]
1a15418b I--Q--- 2 perm 3f010000 1913000003 1913000003 keyring _krb: 3
1eb64fa4 I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 173 [buff]
1f60f22a I--Q--- 1 perm 3f010000 1913000003 1913000003 keyring krb_ccache_IZ5lJbW: 4
2bce9931 I--Q--- 1 perm 3f010000 1913000003 1913000003 user __krb5_princ__: 37
35423f57 I--Q--- 1 perm 3f010000 1913000003 1913000003 user __krb5_princ__: 33
370b80ce I------ 2 2d 1f030000 1913000003 65534 keyring _persistent.1913000003: 1
375df308 I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krbtgt/TESTRELM.COM: 490 [buff]
376176e7 I--Q--- 1 perm 3f010000 1913000003 1913000003 keyring 1913000003: 4
3aec7ff9 I--Q--- 1 perm 3f010000 1913000003 1913000003 user krb_ccache:primary: 27
3b401d1a I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 182 [buff]
-sh-4.2$ kinit nonroot
Password for nonroot:
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:krb_ccache_9a1tHsK
Default principal: nonroot
Valid starting Expires Service principal
11/06/2013 16:56:06 11/07/2013 16:56:03 krbtgt/TESTRELM.COM
Verified per comment #22 above. Also, quick check on standard install: [root@ibm-x3650m4-01-vm-15 ~]# grep default_ccache_name /etc/krb5.conf default_ccache_name = KEYRING:persistent:%{uid} Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9677308caa78ed722570aea32f21334b8c27bad3/ ipa-3-3: https://fedorahosted.org/freeipa/changeset/5b2ce3c5a57e8193ee1c6d23c4e79c3b2b62cb05/ This was just a mistake in a process. Namita, can you please move the Bugzilla back to VERIFIED? I cannot do it myself. Moving back to verified. And clearing needinfo flag since I changed to verified. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: In RHEL7 the default krb5.conf includes: default_ccache_name = KEYRING:persistent:%{uid} But, ipa-server does not include that in the template here: /usr/share/ipa/krb5.conf.template So, KRB5CCNAME on the client is defaulting back to file:/tmp/something: [root@rhel7-1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.TEST Valid starting Expires Service principal 11/04/2013 21:59:19 11/05/2013 21:59:19 krbtgt/IPA1.EXAMPLE.TEST.TEST Should this be fixed to support the newer kernel keyring cache type? Version-Release number of selected component (if applicable): [root@rhel7-1 ~]# rpm -qf /usr/share/ipa/krb5.conf.template ipa-server-3.3.2-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. install ipa server 2. kinit admin 3. klist 4. grep default_ccache_name /etc/krb5.conf Actual results: uses old location in /tmp instead of the new keyring support. Expected results: should be: KEYRING:persistent:%{uid}. Additional info: