Bug 786993
Summary: | sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> | |
Component: | nfs-utils | Assignee: | Steve Dickson <steved> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rawhide | CC: | bfields, jhrozek, jlayton, nalin, sbose, sgallagh, ssorce, steved | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | nfs-utils-1.2.5-14.fc17 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 786957 | |||
: | 796429 (view as bug list) | Environment: | ||
Last Closed: | 2012-05-08 04:11:51 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 786957 | |||
Bug Blocks: | 796429, 796430 |
Description
Daniel Walsh
2012-02-02 20:43:55 UTC
Steve how much work would it be to get rpc.gssd to search /run/user/USERNAME/ before searching /tmp? As Stephen and Simo have noted elsewhere, when we do that we might as well have SSSD drop the unique-suffix-via-mkstemp() logic, as it's only being done to avoid a DoS that's possible in a shared /tmp, and not to ensure that ccaches are per-session. At any rate, rpc.gssd would want to be able to search the ccache with a name along the lines of "DIR:/run/user/$LOGIN/blahblah" or "FILE:/run/user/$LOGIN/blahblah", depending on whether the agreed-upon location was a directory or a file (the exact name under /run/user/$LOGIN is not set yet). The libraries should know the specifics of how to deal with the contents of the ccache, so long as rpc.gssd tells them to look there. (In reply to comment #1) > Steve how much work would it be to get rpc.gssd to search /run/user/USERNAME/ > before searching /tmp? Changing the default path probably will not be too bad but getting the user name might be a bit time consuming since uids are passed up from the kernel. Doing that uid to username conversion very time consuming... /run/usr/<uid>/ would be better from rpc.gssd's perceptive This would be very easy to accomplish from SSSD's perspective, but I defer to Dan to tell us how feasible this is from SELinux's (and systemd's) point of view. I got the impression that /var/run/user/username was automatically created (and its permissions managed) by systemd. (In reply to comment #3) > (In reply to comment #1) > > Steve how much work would it be to get rpc.gssd to search /run/user/USERNAME/ > > before searching /tmp? > Changing the default path probably will not be too bad but getting the user > name might be a bit time consuming since uids are passed up from the kernel. > Doing that uid to username conversion very time consuming... > > /run/usr/<uid>/ would be better from rpc.gssd's perceptive Maybe we can have a symlink with the userid. The kernel can't pass up any uids, all it has to pass up is a gss init_sec_context token, which svcgssd uses the gss/krb5 libraries to turn into some kind of gss name, which is mapped to numeric id's by libnfsidmap--see nfs-utils/utils/gssd/svcgssd_proc.c:get_ids(). (I don't really know if that's the best way to do it, but that's how it works right now.) So if there's an easy way to map the gss name to the right form then getting the username shouldn't be too bad.... But it still might be simplest if we could continue doing the lookup by id. Bruce, I think you are describing the case of a NFS server. Ccaches are used in the case of an NFS client. In that case the uid is the only information the kernel has about the process trying to access a specific mount point. In gss-proxy I can do the uid->name lookup (which is very fast with either nscd or sssd+memcache patches so I don't think you should worry too much about the speed of that lookup. HTH, Simo (In reply to comment #7) > Bruce, > I think you are describing the case of a NFS server. > Ccaches are used in the case of an NFS client. In that case the uid is the only > information the kernel has about the process trying to access a specific mount > point. Bah, you're right, sorry for not following carefully! > In gss-proxy I can do the uid->name lookup (which is very fast with either nscd > or sssd+memcache patches so I don't think you should worry too much about the > speed of that lookup. OK. sssd-1.8.0-5.fc17.beta3 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sssd-1.8.0-5.fc17.beta3 Sorry, selected the wrong BZ for this update. It has now been correct. But you're at least now aware that the SSSD side of this change is now in updates-testing. Please look into the nfs-utils changes ASAP. nfs-utils-1.2.5-14.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-4479/nfs-utils-1.2.5-14.fc17 Wasn't this supposed to go only in rawhide ? Package nfs-utils-1.2.5-14.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nfs-utils-1.2.5-14.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4479/nfs-utils-1.2.5-14.fc17 then log in and leave karma (feedback). This change shouldn't be pushed to F17, it should only be in Rawhide. It's too potentially disruptive. nfs-utils-1.2.5-14.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |