Bug 711416

Summary: During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: benl, dpal, grajaiya, jgalipea, jhrozek, kbanerje, prc, sbose
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-42.el6 Doc Type: Bug Fix
Doc Text:
Cause: During the login process, SSSD may attempt to create a ccache file for the user if the old ccache file has already expired. The SSH deamon uses different processes with different UIDs for different parts of the login process. Consequence: If a user has logged in some time ago and his password has since expired, SSSD would be unable to switch to a new ccache Fix: SSSD forces removal of the old ccache if the kerberos authentication subprocess returns a special PAM_NEW_AUTHTOK_REQD return code Result: SSSD is able to recreate a ccache file instead of an existing but inactive ccache file for a user logging in via SSH with his password expired
 Story Points: ---
Clone Of:
: 748846 (view as bug list) Environment:
Last Closed: 2011-12-06 16:38:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 748846    
Attachments:
Description Flags
sssd_domain.log none

Description Gowrishankar Rajaiyan 2011-06-07 12:49:48 UTC 
Description of problem:
During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.

Version-Release number of selected component (if applicable):
sssd-1.5.1-40.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb uidNumber gidNumber ccacheFile
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
uidNumber: 1866400007
gidNumber: 1866400007
ccacheFile: FILE:/tmp/krb5cc_1866400007_wPJrHJ


[root@bumblebee ~]# ipa user-del shanks
---------------------
Deleted user "shanks"
---------------------
[root@bumblebee ~]# ipa user-add shanks --password
First name: Shanks
Last name: r
Password: 
Enter Password again to verify: 
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: Shanks
  Last name: r
  Full name: Shanks r
  Display name: Shanks r
  Initials: Sr
  Home directory: /home/shanks
  GECOS field: shanks
  Login shell: /bin/sh
  Kerberos principal: shanks.PNQ.REDHAT.COM
  UID: 1866400008
[root@bumblebee ~]# 


[root@bumblebee ~]# ssh -l shanks localhost 
shanks@localhost's password: 
Permission denied, please try again.
shanks@localhost's password: 


(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x1a5bf40

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x1a30bd0

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Destroying timer event 0x1a30bd0 "ltdb_timeout"

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Ending timer event 0x1a5bf40 "ltdb_callback"

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1866400007_wPJrHJ] exists, but is owned by [1866400007] instead of [1866400008].
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>) [Success]
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Tue Jun  7 07:39:20 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sbus_dispatch] (9): dbus conn: 1A0E6D0
(Tue Jun  7 07:39:20 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sbus_dispatch] (9): Dispatching.


[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb uidNumber gidNumber ccacheFile
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
ccacheFile: FILE:/tmp/krb5cc_1866400007_wPJrHJ
uidNumber: 1866400008
gidNumber: 1866400008


[root@bumblebee ~]# rm -fvr /tmp/krb5cc_1866400007_wPJrHJ 
removed `/tmp/krb5cc_1866400007_wPJrHJ'

[root@bumblebee ~]# ssh -l shanks localhost 
shanks@localhost's password: 
Password expired. Change your password now.

RHEL6.2-20110512.n.0_nfs-Server-x86_64
Used by: Shanks

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user shanks.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to localhost closed.


 
Actual results:
During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.

[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb uidNumber gidNumber ccacheFile
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
ccacheFile: FILE:/tmp/krb5cc_1866400007_wPJrHJ
uidNumber: 1866400008
gidNumber: 1866400008


[root@bumblebee ~]# ls -l /tmp/krb5cc_1866400007_wPJrHJ 
-rw-------. 1 shanks shanks 604 Jun  7 07:41 /tmp/krb5cc_1866400007_wPJrHJ
[root@bumblebee ~]# 


Expected results:
We should delete ccacheFile attribute from the cache if we detect we don't need to hold one anymore before we continue authentication.
 
Additional info:
Comment 1 Gowrishankar Rajaiyan 2011-06-07 12:53:20 UTC 
Created attachment 503475 [details]
sssd_domain.log

# cat /etc/sssd/sssd.conf 
[sssd]
services = nss, pam
config_file_version = 2

domains = lab.eng.pnq.redhat.com
[nss]

[pam]

[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, bumblebee.lab.eng.pnq.redhat.com
debug_level = 9
Comment 3 Sumit Bose 2011-06-08 11:46:16 UTC 
There are two issues here:

1.) The uid of a user changed, because the user was deleted and added afterwards with a new uid. Since sssd reuses the same cached object the stored ccache file now belongs to a different user ("Cache file [/tmp/krb5cc_1866400007_wPJrHJ]
exists, but is owned by [1866400007] instead of [1866400008]."). This is tracked upstream in ticket https://fedorahosted.org/sssd/ticket/884 .

2.) Due to the privilege separation ind sshd a ccache file with a random name cannot be recreated if the password is expired during the change password operation. This is tracked upstream in ticket https://fedorahosted.org/sssd/ticket/888 .

Please decide if this ticket needs to be split into two, maybe with different flags.
Comment 4 Stephen Gallagher 2011-06-08 11:57:57 UTC 
(In reply to comment #3)
> 2.) Due to the privilege separation ind sshd a ccache file with a random name
> cannot be recreated if the password is expired during the change password
> operation. This is tracked upstream in ticket
> https://fedorahosted.org/sssd/ticket/888 .
Is this the reason why we get "Connection to localhost closed." when changing an expired password through SSH?

> Please decide if this ticket needs to be split into two, maybe with different
> flags.

I think this should be split. I suspect that the expired password issue is a higher priority.
Comment 5 Sumit Bose 2011-06-08 12:24:06 UTC 
(In reply to comment #4)
> (In reply to comment #3)
> > 2.) Due to the privilege separation ind sshd a ccache file with a random name
> > cannot be recreated if the password is expired during the change password
> > operation. This is tracked upstream in ticket
> > https://fedorahosted.org/sssd/ticket/888 .
> Is this the reason why we get "Connection to localhost closed." when changing
> an expired password through SSH?
> 

no, afaik this is a "feature" of sshd's privilege separation, if you set 'UsePrivilegeSeparation no' in sshd_config you will be logged in after changing the password.

> > Please decide if this ticket needs to be split into two, maybe with different
> > flags.
> 
> I think this should be split. I suspect that the expired password issue is a
> higher priority.
Comment 6 Dmitri Pal 2011-06-09 13:28:28 UTC 
This is BZ for https://fedorahosted.org/sssd/ticket/888
Comment 7 Stephen Gallagher 2011-07-07 12:29:02 UTC 
Upstream does not have any plans to resolve https://fedorahosted.org/sssd/ticket/884 at this time.

We will use this Bugzilla to track only the second issue, which relates to removing the old credential cache file during password-change operations.

QE: if you want to track the resolution of the UID/GID change RFE, please open a new BZ.
Comment 10 Kaushik Banerjee 2011-09-08 17:22:22 UTC 
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 49.el6                        Build Date: Mon 29 Aug 2011 08:25:05 PM IST
Install Date: Wed 31 Aug 2011 12:17:23 PM IST      Build Host: x86-004.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-49.el6.src.rpm
Size        : 3669275                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 11 Jakub Hrozek 2011-10-27 16:17:28 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: During the login process, SSSD may attempt to create a ccache file for the user if the old ccache file has already expired. The SSH deamon uses different processes with different UIDs for different parts of the login process.
Consequence: If a user has logged in some time ago and his password has since expired, SSSD would be unable to switch to a new ccache
Fix: SSSD forces removal of the old ccache if the kerberos authentication subprocess returns a special PAM_NEW_AUTHTOK_REQD return code
Result: SSSD is able to recreate a ccache file instead of an existing but inactive ccache file for a user logging in via SSH with his password expired
Comment 12 errata-xmlrpc 2011-12-06 16:38:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html