Bug 857054

Summary: [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: apeetham, jgalipea, jhrozek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.10.0-1.el7.alpha1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:08:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-09-13 13:26:32 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1512

https://bugzilla.redhat.com/show_bug.cgi?id=853558 (''Fedora'')

{{{
Description of problem:
sudo is failing in Fedora 18 (development) with identities via LDAP and
authorization via Kerberos.

Version-Release number of selected component (if applicable):
# rpm -qa | egrep 'krb5|systemd|sssd'
systemd-libs-188-3.fc18.i686
systemd-188-3.fc18.i686
systemd-sysv-188-3.fc18.i686
sssd-1.9.0-19.fc18.beta6.i686
pam_krb5-2.3.14-3.fc18.i686
sssd-client-1.9.0-19.fc18.beta6.i686
krb5-libs-1.10.2-7.fc18.i686

How reproducible:
always

Actual results:
User POV:
sudo date
[sudo] password for my_user_name:
Sorry, try again.
[sudo] password for my_user_name:
sudo: 1 incorrect password attempt

Log POV:
==> /var/log/messages <==
Aug 31 13:39:29 test-host [sssd[krb5_child[10593]]]: Credential cache directory
/run/user/my_uid/ccdir does not exist

==> /var/log/secure <==
Aug 31 13:39:29 test-host sudo: pam_sss(sudo:auth): system info: [Credential
cache directory /run/user/my_uid/ccdir does not exist]

No AVCs reported.

See attachment.
}}}
Comment 2 Jenny Severance 2013-03-13 15:21:26 UTC 
please add steps to reproduce
Comment 3 Jakub Hrozek 2013-03-18 09:23:47 UTC 
I hope I remember them correctly, please feel free to ping again if they don't work:

1) Configure Kerberos provider to use DIR: cache
2) log in as a user
3) From another terminal, remove his /run/user/$UID directory (to simulate session end)
4) log in as the same user again.

With the unpatched version, the second login would fail. With the patched version, it would succeed.
Comment 4 Jakub Hrozek 2013-03-26 18:06:23 UTC 
Fixed upstream.
Comment 5 Jakub Hrozek 2013-10-04 13:23:22 UTC 
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 7 Amith 2013-12-18 09:32:53 UTC 
Verified the bug on SSSD Version: sssd-1.11.2-10.el7.x86_64

Steps followed during verification:

1. Configure sssd with credential cache type "krb5_ccname_template = DIR:/tmp/%U"
2. Login with a krb5 user and verify the cache:

[tr_user@rhel-7 ~]$ klist
Ticket cache: DIR::/tmp/10219/tktZ5pH3m
Default principal: tr_user

Valid starting       Expires              Service principal
12/18/2013 09:35:02  12/19/2013 09:35:02  krbtgt/EXAMPLE.COM
	renew until 12/18/2013 09:35:02

3. Delete the cache directory "/tmp/10219" to end the session.
4. Attempt second login for the same user. As expected, login succeeds.
Comment 8 Ludek Smid 2014-06-13 13:08:32 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.