Bug 1029110 - Kerberos keyring credential cache does not properly throw an error when an invalid UID is used in the KEYRING:persistent:<UID> ccname
Kerberos keyring credential cache does not properly throw an error when an in...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Patrik Kis
Depends On: 991110
  Show dependency treegraph
Reported: 2013-11-11 11:57 EST by Patrik Kis
Modified: 2014-10-03 03:46 EDT (History)
4 users (show)

See Also:
Fixed In Version: krb5-1.11.3-32.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 07:03:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2013-11-11 11:57:31 EST
Description of problem:
If the keyring ccache is changed from UID to username like below, it is not possible to get ticket as non-root user.
 default_ccache_name = KEYRING:persistent:%{username}
This is corner case but since it works for root one would expect to work also as non-root user.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. change the default_ccache_name line in /etc/krb5.conf to:
 default_ccache_name = KEYRING:persistent:%{username}
                                            ^^^^^^^^  note this
2. as user root all ok:
# kinit alice
Password for alice@ZMRAZ.COM: 
# klist 
Ticket cache: KEYRING:persistent:root:0
Default principal: alice@ZMRAZ.COM

Valid starting       Expires              Service principal
11/11/2013 15:52:35  11/12/2013 15:52:35  krbtgt/ZMRAZ.COM@ZMRAZ.COM
	renew until 11/11/2013 15:52:35

3. but as non-root user:
# su - alice
Last login: Mon Nov 11 15:48:09 CET 2013 on pts/1
$ kinit
kinit: Invalid UID in persistent keyring name while getting default ccache
Comment 1 Stephen Gallagher 2013-11-11 12:10:31 EST
The description of this bug is exactly reversed from what should be happening here.

It is NOT supported or correct behavior for the KRB5CCNAME to be specified with the username. The error message "Invalid UID in persistent keyring name" is the proper response here.

The fact that it is NOT failing when root makes this mistake is the actual bug.
Comment 2 Stephen Gallagher 2013-11-11 12:11:56 EST
(Hit enter too soon)

I suspect that we're not properly validating this string. I have a guess that we may just be hitting a weird edge case with the string->int conversion and ending up with zero (which just happens to work for root).
Comment 5 Ludek Smid 2014-06-13 07:03:01 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.