Hide Forgot
Description of problem: In RHEL7 the default krb5.conf includes: default_ccache_name = KEYRING:persistent:%{uid} But, ipa-server does not include that in the template here: /usr/share/ipa/krb5.conf.template So, KRB5CCNAME on the client is defaulting back to file:/tmp/something: [root@rhel7-1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.TEST Valid starting Expires Service principal 11/04/2013 21:59:19 11/05/2013 21:59:19 krbtgt/IPA1.EXAMPLE.TEST.TEST Should this be fixed to support the newer kernel keyring cache type? Version-Release number of selected component (if applicable): [root@rhel7-1 ~]# rpm -qf /usr/share/ipa/krb5.conf.template ipa-server-3.3.2-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. install ipa server 2. kinit admin 3. klist 4. grep default_ccache_name /etc/krb5.conf Actual results: uses old location in /tmp instead of the new keyring support. Expected results: should be: KEYRING:persistent:%{uid}. Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4013
Created attachment 819931 [details] Candidate patch for review
I think the problem is in the UID check here in the kernel for where the requested UID isn't -1 (see the if-statement below with four uid_eq() calls in it): long keyctl_get_persistent(uid_t _uid, key_serial_t destid) { struct user_namespace *ns = current_user_ns(); key_ref_t dest_ref; kuid_t uid; long ret; /* -1 indicates the current user */ if (_uid == (uid_t)-1) { uid = current_uid(); } else { uid = make_kuid(ns, _uid); if (!uid_valid(uid)) return -EINVAL; /* You can only see your own persistent cache if you're not * sufficiently privileged. */ if (uid_eq(uid, current_uid()) && uid_eq(uid, current_suid()) && uid_eq(uid, current_euid()) && uid_eq(uid, current_fsuid()) && !ns_capable(ns, CAP_SETUID)) return -EPERM; } ...
(In reply to David Howells from comment #17) > I think the problem is in the UID check here in the kernel for where the > requested UID isn't -1 (see the if-statement below with four uid_eq() calls > in it): > > long keyctl_get_persistent(uid_t _uid, key_serial_t destid) > { > struct user_namespace *ns = current_user_ns(); > key_ref_t dest_ref; > kuid_t uid; > long ret; > > /* -1 indicates the current user */ > if (_uid == (uid_t)-1) { > uid = current_uid(); > } else { > uid = make_kuid(ns, _uid); > if (!uid_valid(uid)) > return -EINVAL; > > /* You can only see your own persistent cache if you're not > * sufficiently privileged. > */ > if (uid_eq(uid, current_uid()) && > uid_eq(uid, current_suid()) && > uid_eq(uid, current_euid()) && > uid_eq(uid, current_fsuid()) && > !ns_capable(ns, CAP_SETUID)) > return -EPERM; > } > ... So is the bug in kernel? If yes should we reassign the ticket.
Don't reassign it, please. This bug is for IPA. We'll reopen the kernel bugzilla that added this feature as FailedQA.
Created attachment 820403 [details] Kernel patch to fix get_persistent-by-specified-UID Here's a patch to fix get_persistent in the kernel. The UID check when a UID was specified was wrong. This can be tested with: keyctl get_persistent @p keyctl get_persistent @p `id -u` keyctl get_persistent @p 0 The first two should successfully print the same key ID. The third should do the same if called by UID 0 or indicate Operation Not Permitted otherwise.
Ok, testing with the new kernel fix looks like we're back in business for root and non-root: [root@cloud-qe-21 ~]# rpm -q ipa-server kernel ipa-server-3.3.3-3.el7.x86_64 kernel-3.10.0-42.el7.x86_64 kernel-3.10.0-43.el7.kpq.x86_64 [root@cloud-qe-21 ~]# uname -a Linux cloud-qe-21.testrelm.com 3.10.0-43.el7.kpq.x86_64 #1 SMP Wed Nov 6 15:24:52 EST 2013 x86_64 x86_64 x86_64 GNU/Linux [root@cloud-qe-21 ~]# kinit admin Password for admin: [root@cloud-qe-21 ~]# ipa user-add testuser1 --first=f --last=l ---------------------- Added user "testuser1" ---------------------- User login: testuser1 First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/testuser1 GECOS: f l Login shell: /bin/sh Kerberos principal: testuser1 Email address: testuser1 UID: 1913000003 GID: 1913000003 Password: False Member of groups: ipausers Kerberos keys available: False [root@cloud-qe-21 ~]# ipa passwd testuser1 New Password: Enter New Password again to verify: --------------------------------------------- Changed password for "testuser1" --------------------------------------------- [root@cloud-qe-21 ~]# kinit testuser1 Password for testuser1: Password expired. You must change it now. Enter new password: Enter it again: [root@cloud-qe-21 ~]# kdestroy [root@cloud-qe-21 ~]# su - testuser1 Creating home directory for testuser1. -sh-4.2$ klist klist: No credentials cache found while retrieving principal name -sh-4.2$ kinit Password for testuser1: -sh-4.2$ klist Ticket cache: KEYRING:persistent:1913000003:1913000003 Default principal: testuser1 Valid starting Expires Service principal 11/06/2013 16:53:00 11/07/2013 16:52:57 krbtgt/TESTRELM.COM -sh-4.2$ exit logout [root@cloud-qe-21 ~]# ssh testuser1@$(hostname) testuser1.com's password: Last login: Wed Nov 6 16:52:41 2013 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is part of the Red Hat Test System. Please do not use this system for individual unit testing. RHTS Test information: HOSTNAME=cloud-qe-21.domain JOBID=536476 RECIPEID=1118439 LAB_SERVER= RESULT_SERVER=127.0.0.1:7081 DISTRO=RHEL-7.0-20131018.0 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** -sh-4.2$ id uid=1913000003(testuser1) gid=1913000003(testuser1) groups=1913000003(testuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ klist Ticket cache: KEYRING:persistent:1913000003:1913000003 Default principal: testuser1 Valid starting Expires Service principal 11/06/2013 16:54:48 11/07/2013 16:54:48 krbtgt/TESTRELM.COM -sh-4.2$ kdestroy -sh-4.2$ kinit testuser1 Password for testuser1: -sh-4.2$ klist Ticket cache: KEYRING:persistent:1913000003:1913000003 Default principal: testuser1 Valid starting Expires Service principal 11/06/2013 16:55:04 11/07/2013 16:55:02 krbtgt/TESTRELM.COM -sh-4.2$ kinit admin Password for admin: -sh-4.2$ klist Ticket cache: KEYRING:persistent:1913000003:krb_ccache_IZ5lJbW Default principal: admin Valid starting Expires Service principal 11/06/2013 16:55:11 11/07/2013 16:55:09 krbtgt/TESTRELM.COM -sh-4.2$ cat /proc/keys 05e24aab I--Q--- 4 perm 1f3f0000 1913000003 65534 keyring _uid.1913000003: empty 0a73d0ef I--Q--- 4 perm 3f030000 1913000003 1913000003 keyring _ses: 1 0fde5f13 I--Q--- 1 perm 1f3f0000 1913000003 65534 keyring _uid_ses.1913000003: 1 10e048e3 I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krbtgt/TESTRELM.COM: 480 [buff] 11b2fa7b I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 178 [buff] 13cf6e45 I--Q--- 13 perm 3f030000 1913000003 1913000003 keyring _ses: 1 14ea85dd I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 177 [buff] 1a15418b I--Q--- 2 perm 3f010000 1913000003 1913000003 keyring _krb: 3 1eb64fa4 I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 173 [buff] 1f60f22a I--Q--- 1 perm 3f010000 1913000003 1913000003 keyring krb_ccache_IZ5lJbW: 4 2bce9931 I--Q--- 1 perm 3f010000 1913000003 1913000003 user __krb5_princ__: 37 35423f57 I--Q--- 1 perm 3f010000 1913000003 1913000003 user __krb5_princ__: 33 370b80ce I------ 2 2d 1f030000 1913000003 65534 keyring _persistent.1913000003: 1 375df308 I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krbtgt/TESTRELM.COM: 490 [buff] 376176e7 I--Q--- 1 perm 3f010000 1913000003 1913000003 keyring 1913000003: 4 3aec7ff9 I--Q--- 1 perm 3f010000 1913000003 1913000003 user krb_ccache:primary: 27 3b401d1a I--Q--- 1 perm 3b010000 1913000003 1913000003 big_key krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 182 [buff] -sh-4.2$ kinit nonroot Password for nonroot: -sh-4.2$ klist Ticket cache: KEYRING:persistent:1913000003:krb_ccache_9a1tHsK Default principal: nonroot Valid starting Expires Service principal 11/06/2013 16:56:06 11/07/2013 16:56:03 krbtgt/TESTRELM.COM
Verified per comment #22 above. Also, quick check on standard install: [root@ibm-x3650m4-01-vm-15 ~]# grep default_ccache_name /etc/krb5.conf default_ccache_name = KEYRING:persistent:%{uid}
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9677308caa78ed722570aea32f21334b8c27bad3/ ipa-3-3: https://fedorahosted.org/freeipa/changeset/5b2ce3c5a57e8193ee1c6d23c4e79c3b2b62cb05/
This was just a mistake in a process. Namita, can you please move the Bugzilla back to VERIFIED? I cannot do it myself.
Moving back to verified.
And clearing needinfo flag since I changed to verified.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.