Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1026861

Summary: RHEL7 ipa krb5.conf.template update to support KEYRING default_ccache_name
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dhowells, dpal, nalin, nsoman, pviktori, rcritten, sgallagh, spoore, ssorce, svenkatr, tlavigne
Target Milestone: betaFlags: nsoman: needinfo+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.3-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:43:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1017806    
Bug Blocks: 991169    
Attachments:
Description Flags
Candidate patch for review
none
Kernel patch to fix get_persistent-by-specified-UID none

Description Scott Poore 2013-11-05 14:43:15 UTC 
Description of problem:

In RHEL7 the default krb5.conf includes:

default_ccache_name = KEYRING:persistent:%{uid}

But, ipa-server does not include that in the template here:

/usr/share/ipa/krb5.conf.template

So, KRB5CCNAME on the client is defaulting back to file:/tmp/something:

[root@rhel7-1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.TEST

Valid starting       Expires              Service principal
11/04/2013 21:59:19  11/05/2013 21:59:19  krbtgt/IPA1.EXAMPLE.TEST.TEST

Should this be fixed to support the newer kernel keyring cache type?  

Version-Release number of selected component (if applicable):
[root@rhel7-1 ~]# rpm -qf /usr/share/ipa/krb5.conf.template 
ipa-server-3.3.2-3.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1.  install ipa server
2.  kinit admin
3.  klist
4.  grep default_ccache_name /etc/krb5.conf

Actual results:
uses old location in /tmp instead of the new keyring support.

Expected results:
should be: KEYRING:persistent:%{uid}.

Additional info:
Comment 4 Martin Kosek 2013-11-05 16:58:36 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4013
Comment 9 Martin Kosek 2013-11-05 18:22:29 UTC 
Created attachment 819931 [details]
Candidate patch for review
Comment 17 David Howells 2013-11-06 13:15:17 UTC 
I think the problem is in the UID check here in the kernel for where the requested UID isn't -1 (see the if-statement below with four uid_eq() calls in it):

long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
{
	struct user_namespace *ns = current_user_ns();
	key_ref_t dest_ref;
	kuid_t uid;
	long ret;

	/* -1 indicates the current user */
	if (_uid == (uid_t)-1) {
		uid = current_uid();
	} else {
		uid = make_kuid(ns, _uid);
		if (!uid_valid(uid))
			return -EINVAL;

		/* You can only see your own persistent cache if you're not
		 * sufficiently privileged.
		 */
		if (uid_eq(uid, current_uid()) &&
		    uid_eq(uid, current_suid()) &&
		    uid_eq(uid, current_euid()) &&
		    uid_eq(uid, current_fsuid()) &&
		    !ns_capable(ns, CAP_SETUID))
			return -EPERM;
	}
 ...
Comment 18 Dmitri Pal 2013-11-06 14:05:10 UTC 
(In reply to David Howells from comment #17)
> I think the problem is in the UID check here in the kernel for where the
> requested UID isn't -1 (see the if-statement below with four uid_eq() calls
> in it):
> 
> long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
> {
> 	struct user_namespace *ns = current_user_ns();
> 	key_ref_t dest_ref;
> 	kuid_t uid;
> 	long ret;
> 
> 	/* -1 indicates the current user */
> 	if (_uid == (uid_t)-1) {
> 		uid = current_uid();
> 	} else {
> 		uid = make_kuid(ns, _uid);
> 		if (!uid_valid(uid))
> 			return -EINVAL;
> 
> 		/* You can only see your own persistent cache if you're not
> 		 * sufficiently privileged.
> 		 */
> 		if (uid_eq(uid, current_uid()) &&
> 		    uid_eq(uid, current_suid()) &&
> 		    uid_eq(uid, current_euid()) &&
> 		    uid_eq(uid, current_fsuid()) &&
> 		    !ns_capable(ns, CAP_SETUID))
> 			return -EPERM;
> 	}
>  ...

So is the bug in kernel? If yes should we reassign the ticket.
Comment 19 Stephen Gallagher 2013-11-06 14:11:14 UTC 
Don't reassign it, please. This bug is for IPA. We'll reopen the kernel bugzilla that added this feature as FailedQA.
Comment 20 David Howells 2013-11-06 14:16:55 UTC 
Created attachment 820403 [details]
Kernel patch to fix get_persistent-by-specified-UID

Here's a patch to fix get_persistent in the kernel.  The UID check when a UID was specified was wrong.  This can be tested with:

	keyctl get_persistent @p
	keyctl get_persistent @p `id -u`
	keyctl get_persistent @p 0

The first two should successfully print the same key ID.  The third should do
the same if called by UID 0 or indicate Operation Not Permitted otherwise.
Comment 22 Scott Poore 2013-11-06 22:01:01 UTC 
Ok, testing with the new kernel fix looks like we're back in business for root and non-root:

[root@cloud-qe-21 ~]# rpm -q ipa-server kernel
ipa-server-3.3.3-3.el7.x86_64
kernel-3.10.0-42.el7.x86_64
kernel-3.10.0-43.el7.kpq.x86_64

[root@cloud-qe-21 ~]# uname -a
Linux cloud-qe-21.testrelm.com 3.10.0-43.el7.kpq.x86_64 #1 SMP Wed Nov 6 15:24:52 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

[root@cloud-qe-21 ~]# kinit admin
Password for admin: 

[root@cloud-qe-21 ~]# ipa user-add testuser1 --first=f --last=l
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser1
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: testuser1
  Email address: testuser1
  UID: 1913000003
  GID: 1913000003
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@cloud-qe-21 ~]# ipa passwd testuser1
New Password: 
Enter New Password again to verify: 
---------------------------------------------
Changed password for "testuser1"
---------------------------------------------

[root@cloud-qe-21 ~]# kinit testuser1
Password for testuser1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@cloud-qe-21 ~]# kdestroy

[root@cloud-qe-21 ~]# su - testuser1
Creating home directory for testuser1.
-sh-4.2$ klist
klist: No credentials cache found while retrieving principal name
-sh-4.2$ kinit 
Password for testuser1: 
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:1913000003
Default principal: testuser1

Valid starting       Expires              Service principal
11/06/2013 16:53:00  11/07/2013 16:52:57  krbtgt/TESTRELM.COM

-sh-4.2$ exit
logout

[root@cloud-qe-21 ~]# ssh testuser1@$(hostname)
testuser1.com's password: 
Last login: Wed Nov  6 16:52:41 2013
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
         This System is part of the Red Hat Test System.              
                                                                      
      Please do not use this system for individual unit testing.      
                                                                      
      RHTS Test information:                                          
                         HOSTNAME=cloud-qe-21.domain                  
                            JOBID=536476                              
                         RECIPEID=1118439                           
                       LAB_SERVER=                         
                    RESULT_SERVER=127.0.0.1:7081                      
                           DISTRO=RHEL-7.0-20131018.0                             
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
-sh-4.2$ id
uid=1913000003(testuser1) gid=1913000003(testuser1) groups=1913000003(testuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:1913000003
Default principal: testuser1

Valid starting       Expires              Service principal
11/06/2013 16:54:48  11/07/2013 16:54:48  krbtgt/TESTRELM.COM

-sh-4.2$ kdestroy

-sh-4.2$ kinit testuser1
Password for testuser1: 

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:1913000003
Default principal: testuser1

Valid starting       Expires              Service principal
11/06/2013 16:55:04  11/07/2013 16:55:02  krbtgt/TESTRELM.COM

-sh-4.2$ kinit admin
Password for admin: 

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:krb_ccache_IZ5lJbW
Default principal: admin

Valid starting       Expires              Service principal
11/06/2013 16:55:11  11/07/2013 16:55:09  krbtgt/TESTRELM.COM
-sh-4.2$ cat /proc/keys
05e24aab I--Q---     4 perm 1f3f0000 1913000003 65534 keyring   _uid.1913000003: empty
0a73d0ef I--Q---     4 perm 3f030000 1913000003 1913000003 keyring   _ses: 1
0fde5f13 I--Q---     1 perm 1f3f0000 1913000003 65534 keyring   _uid_ses.1913000003: 1
10e048e3 I--Q---     1 perm 3b010000 1913000003 1913000003 big_key   krbtgt/TESTRELM.COM: 480 [buff]
11b2fa7b I--Q---     1 perm 3b010000 1913000003 1913000003 big_key   krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 178 [buff]
13cf6e45 I--Q---    13 perm 3f030000 1913000003 1913000003 keyring   _ses: 1
14ea85dd I--Q---     1 perm 3b010000 1913000003 1913000003 big_key   krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 177 [buff]
1a15418b I--Q---     2 perm 3f010000 1913000003 1913000003 keyring   _krb: 3
1eb64fa4 I--Q---     1 perm 3b010000 1913000003 1913000003 big_key   krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 173 [buff]
1f60f22a I--Q---     1 perm 3f010000 1913000003 1913000003 keyring   krb_ccache_IZ5lJbW: 4
2bce9931 I--Q---     1 perm 3f010000 1913000003 1913000003 user      __krb5_princ__: 37
35423f57 I--Q---     1 perm 3f010000 1913000003 1913000003 user      __krb5_princ__: 33
370b80ce I------     2   2d 1f030000 1913000003 65534 keyring   _persistent.1913000003: 1
375df308 I--Q---     1 perm 3b010000 1913000003 1913000003 big_key   krbtgt/TESTRELM.COM: 490 [buff]
376176e7 I--Q---     1 perm 3f010000 1913000003 1913000003 keyring   1913000003: 4
3aec7ff9 I--Q---     1 perm 3f010000 1913000003 1913000003 user      krb_ccache:primary: 27
3b401d1a I--Q---     1 perm 3b010000 1913000003 1913000003 big_key   krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.COM\@TESTRELM.COM@X-CACHECONF:: 182 [buff]

-sh-4.2$ kinit nonroot
Password for nonroot: 

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1913000003:krb_ccache_9a1tHsK
Default principal: nonroot

Valid starting       Expires              Service principal
11/06/2013 16:56:06  11/07/2013 16:56:03  krbtgt/TESTRELM.COM
Comment 24 Scott Poore 2013-11-12 17:20:32 UTC 
Verified per comment #22 above.

Also, quick check on standard install:

[root@ibm-x3650m4-01-vm-15 ~]# grep default_ccache_name /etc/krb5.conf
 default_ccache_name = KEYRING:persistent:%{uid}
Comment 25 Petr Viktorin (pviktori) 2013-12-09 11:25:20 UTC 
Fixed upstream
master: https://fedorahosted.org/freeipa/changeset/9677308caa78ed722570aea32f21334b8c27bad3/
ipa-3-3: https://fedorahosted.org/freeipa/changeset/5b2ce3c5a57e8193ee1c6d23c4e79c3b2b62cb05/
Comment 26 Martin Kosek 2013-12-09 11:30:54 UTC 
This was just a mistake in a process. Namita, can you please move the Bugzilla back to VERIFIED? I cannot do it myself.
Comment 27 Scott Poore 2013-12-09 14:27:11 UTC 
Moving back to verified.
Comment 28 Scott Poore 2013-12-09 14:28:18 UTC 
And clearing needinfo flag since I changed to verified.
Comment 29 Ludek Smid 2014-06-13 11:43:49 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.