Bug 786957
| Summary: | sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> | |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> | |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rawhide | CC: | jhrozek, john, nalin, sbose, sgallagh, ssorce | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 786993 (view as bug list) | Environment: | ||
| Last Closed: | 2012-02-28 20:37:07 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 851304 | |||
| Bug Blocks: | 786993, 796429, 796430 | |||
|
Description
Daniel Walsh
2012-02-02 18:36:35 UTC
It's probably too late for a feature submission, but can you open a dialog with the rpc.gssd folks about changing this? Find out whether it can be done within the F17 alpha timeframe (read: by Feb 13). Also remember to change sssd defaults so that the mkstemp() is not used anymore. In /run/user/username/ there are no races to fear and it will make for a much better experience as the ccache name will not change. sssd-1.8.0-5.fc17.beta3 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sssd-1.8.0-5.fc17.beta3 Package sssd-1.8.0-5.fc17.beta3: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3 then log in and leave karma (feedback). Package sssd-1.8.0-5.fc17.beta3.1: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3.1' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3.1 then log in and leave karma (feedback). In testing, it looks like steved's getting KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be found by patches I've sent to the cifs-utils and nfs-utils maintainers. The sssd-krb5 man page doesn't indicate that this was changed, either. Should I reopen this, or open a new bug to correct these?
(In reply to comment #6) > In testing, it looks like steved's getting > KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be > found by patches I've sent to the cifs-utils and nfs-utils maintainers. The feature page[1] says it's supposed to be /run/user/$UID/krb5cc so we should just s/ccdir/krb5cc/ right? > The > sssd-krb5 man page doesn't indicate that this was changed, either. Should I > reopen this, or open a new bug to correct these? The default in the SSSD code is still FILE:/tmp/, mostly for cross-distribution and backwards compatibility. We rather override the SSSD default at configure time to current "DIR:/run/user/${UID}/ccdir". We should have also patched the man page to include the configured default instead of the upstream. Can you open a new bug, please? I'll fix both the default and patch the man page. [1] https://fedoraproject.org/wiki/Features/KRB5DirCache (In reply to comment #7) > (In reply to comment #6) > > In testing, it looks like steved's getting > > KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be > > found by patches I've sent to the cifs-utils and nfs-utils maintainers. > > The feature page[1] says it's supposed to be /run/user/$UID/krb5cc so we > should just s/ccdir/krb5cc/ right? Looks like, yes. Come to think of it, I expect SSSD was updated when the feature page said to do what SSSD is doing now (we changed the recommended setting a couple of weeks ago) so that's understandable. > > The > > sssd-krb5 man page doesn't indicate that this was changed, either. Should I > > reopen this, or open a new bug to correct these? > > The default in the SSSD code is still FILE:/tmp/, mostly for > cross-distribution and backwards compatibility. We rather override the SSSD > default at configure time to current "DIR:/run/user/${UID}/ccdir". We should > have also patched the man page to include the configured default instead of > the upstream. > > Can you open a new bug, please? I'll fix both the default and patch the man > page. Sure. Filed as bug #851304. Thanks! I've looked at a bunch of related BZs and I'm not sure where this should go, here or elsewhere or a new ticket, but ... I have a Fedora 18 host where sudo is failing with this (and more, but I believe these are the most relevant messages): ==> /var/log/messages <== Aug 31 13:39:29 test-host [sssd[krb5_child[10593]]]: Credential cache directory /run/user/10325/ccdir does not exist ==> /var/log/secure <== Aug 31 13:39:29 test-host sudo: pam_sss(sudo:auth): system info: [Credential cache directory /run/user/10325/ccdir does not exist] This host has been configured with LDAP for identities and Kerberos for authentication. Sudo has been configured to test for group membership where the requisite group is in LDAP (along with the user IDs). Is this still on the TODO list for the feature or has something been overlooked possibly? (In reply to comment #9) > I've looked at a bunch of related BZs and I'm not sure where this should go, > here or elsewhere or a new ticket, but ... > > I have a Fedora 18 host where sudo is failing with this (and more, but I > believe these are the most relevant messages): > > ==> /var/log/messages <== > Aug 31 13:39:29 test-host [sssd[krb5_child[10593]]]: Credential cache > directory /run/user/10325/ccdir does not exist > > ==> /var/log/secure <== > Aug 31 13:39:29 test-host sudo: pam_sss(sudo:auth): system info: [Credential > cache directory /run/user/10325/ccdir does not exist] > > > This host has been configured with LDAP for identities and Kerberos for > authentication. Sudo has been configured to test for group membership where > the requisite group is in LDAP (along with the user IDs). Is this still on > the TODO list for the feature or has something been overlooked possibly? John, please open a new bug against the SSSD. Also please raise the debug level of the SSSD in the [domain] section to 8, restart the SSSD and then re-run the case. Then attache the contents of (sanitized) /var/log/sssd/sssd_$domainname.log. Is the UID of your user 10325? Are there any AVC denials in the syslog or audit.log? Thank you! New bug to follow. Yes I'm UID 10325 and there were no AVC denials. (In reply to comment #11) > New bug to follow. Yes I'm UID 10325 and there were no AVC denials. Thanks you! Can you please also include the full version of the sssd, all krb5-\* packages and systemd? My issue now tracked at new bug #853558. |