Bug 507984

Summary:

In the absence of KRB5CCNAME, use default credentials cache, like kinit

Product:

[Fedora] Fedora

Reporter:

Bojan Smojver <bojan>

Component:

pam_krb5

Assignee:

Nalin Dahyabhai <nalin>

Status:

CLOSED RAWHIDE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

medium

Docs Contact:

Priority:

low

Version:

rawhide

CC:

nalin

Target Milestone:

---

Keywords:

Patch

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

2.3.7-1

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2009-06-26 21:38:11 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Set default ccname in the absence of KRB5CCNAME env variable	none
Set default ccname in the absence of KRB5CCNAME env variable	none
Set default ccname in the absence of KRB5CCNAME env variable	none
Set default ccname in the absence of KRB5CCNAME env variable	none
Set default ccname in the absence of KRB5CCNAME env variable	none
Set default ccname in the absence of KRB5CCNAME env variable	none
Set default ccname in the absence of KRB5CCNAME env variable	none
patch to use krb5_cc_default_name() and do similar things for v4 tickets	none

Description Bojan Smojver 2009-06-25 00:30:20 UTC

Created attachment 349319 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Description of problem:
PAM_REINITIALIZE_CRED only obeys the environment variable, but this variable may not be set. In that case, it should try default credentials cache, as specified in kinit manual page.

Version-Release number of selected component (if applicable):
2.3.6-1.fc12

How reproducible:
Always.

Steps to Reproduce:
1. Run src/harness --auth --setcred-reinitialize without KRB5CCNAME in the env.
  
Actual results:
Does not reissue the TGT.

Expected results:
Should reissue the TGT, if we have default CC.

Additional info:
May be related to bug #187485.

Comment 1 Bojan Smojver 2009-06-25 00:52:05 UTC

Created attachment 349321 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Correct the comment.

Comment 2 Bojan Smojver 2009-06-25 03:25:50 UTC

Created attachment 349327 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Add debugging code.

Comment 3 Bojan Smojver 2009-06-25 08:01:03 UTC

Created attachment 349355 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Use PATH_MAX for the size of the ccname. Use snprintf() instead of sprintf().

Comment 4 Bojan Smojver 2009-06-25 09:25:20 UTC

Created attachment 349364 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Although previous patches worked, it seems that the code differentiates between v5ccname and v5filename. So, this patch follows that rule.

Comment 5 Bojan Smojver 2009-06-26 01:54:15 UTC

Created attachment 349495 [details]
Set default ccname in the absence of KRB5CCNAME env variable

This patch improves a bit on the logic of the default ccname when reinitialising, by removing some unnecessary ifs.

However, the main change is that we now obey KRB5CCNAME in establish, if it exists in the environment. With this, src/harness --auth --establish actually issues the ticket specified in KRB5CCNAME. This is useful in situation where this environment variable is pre-set by an administrator.

Comment 6 Bojan Smojver 2009-06-26 03:05:37 UTC

Created attachment 349503 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Use unsigned types for printing uid_t.

Comment 7 Nalin Dahyabhai 2009-06-26 17:29:56 UTC

(In reply to comment #5)
> Created an attachment (id=349495) [details]
> Set default ccname in the absence of KRB5CCNAME env variable

Better to use the krb5_cc_default_name() function for this, as it's what the libraries do.

> However, the main change is that we now obey KRB5CCNAME in establish, if it
> exists in the environment. With this, src/harness --auth --establish actually
> issues the ticket specified in KRB5CCNAME. This is useful in situation where
> this environment variable is pre-set by an administrator.  

Um, no.  That would overwrite my ccache irreversibly if I were to su to another user using pam_krb5, and if I'm reading the patch right, delete it when the su session was closed.

Comment 8 Nalin Dahyabhai 2009-06-26 21:19:32 UTC

Created attachment 349610 [details]
patch to use krb5_cc_default_name() and do similar things for v4 tickets

Comment 9 Bojan Smojver 2009-06-26 23:01:23 UTC

Thanks. Not being too familiar with the code, I was just stumbling along there :-)

Comment 10 Nalin Dahyabhai 2009-06-29 17:49:23 UTC

No problem, and thanks for taking a stab at it regardless.