1118347 – ksu non-functional, gets invalid argument copying cred cache

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1118347 - ksu non-functional, gets invalid argument copying cred cache

Summary: ksu non-functional, gets invalid argument copying cred cache

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	7.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Depends On:	1089035
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-10 13:19 UTC by Nalin Dahyabhai
Modified:	2015-03-05 10:01 UTC (History)
CC List:	9 users (show)
Fixed In Version:	krb5-1.12.2-8.el7
Doc Type:	Bug Fix
Doc Text:	Cause: Due to an bug in a fix included in the previous version of this package, ksu would fail to set up a credential cache for the target user when the value of the default_ccache_name setting configured in /etc/krb5.conf specified a FILE: type credential cache name. Consequence: ksu would fail and would not attempt to run the specified command or the shell as the target user. Fix: This case is now accounted for in the applied fix. Result: ksu should no longer fail in these cases.
Clone Of:	1089035
Environment:
Last Closed:	2015-03-05 10:01:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0439	0	normal	SHIPPED_LIVE	Moderate: krb5 security, bug fix and enhancement update	2015-03-05 14:38:14 UTC

Description Nalin Dahyabhai 2014-07-10 13:19:31 UTC

+++ This bug was initially created as a clone of Bug #1089035 +++

Description of problem:

ksu: Invalid argument while copying cache /tmp/krb5cc_704669.1 to FILE:/tmp/krb5

Version-Release number of selected component (if applicable):

krb5-workstation-1.11.5-4.fc20.x86_64


How reproducible:

100%

Steps to Reproduce:
1. log in to box either via pw or gssapi forwarding
2. attempt to ksu to another user that has a .k5login set up

Actual results:

-sh-4.2$ ksu aclmgr
Authenticated nneul
Account aclmgr: authorization for nneul successful
Changing uid to aclmgr (704669)
ksu: Invalid argument while copying cache /tmp/krb5cc_704669.1 to FILE:/tmp/krb5cc_704669.1

Expected results:

su'd to that user


Additional info:

-sh-4.2$ env | grep KRB5CC
KRB5CCNAME=FILE:/tmp/krb5cc_5879_Pl47qMu0wG

-sh-4.2$ ls -al /tmp/krb5cc_*
-rw------- 1 root   root    4036 Apr 17 12:15 /tmp/krb5cc_0_rFtaPGhCmk
-rw------- 1 nneul  nneul   4036 Apr 17 12:24 /tmp/krb5cc_5879_Pl47qMu0wG
-rw------- 1 nneul  nneul   4036 Apr 17 12:38 /tmp/krb5cc_5879_d59sQTxP3C
-rw------- 1 aclmgr aclmgr 11945 Apr 16 08:51 /tmp/krb5cc_704669.1

--- Additional comment from  on 2014-04-17 13:51:27 EDT ---

selinux is disabled on the box.

--- Additional comment from Balint Cristian on 2014-04-30 09:53:08 EDT ---


* krb5-workstation-1.11.3-33.fc20.x86_64 seems to work fine.

- Can try downgrade and confirm ?
  * http://koji.fedoraproject.org/koji/buildinfo?buildID=479283

--- Additional comment from  on 2014-04-30 10:00:06 EDT ---

Confirmed. 1.11.3-33 does not exhibit the symptom.

--- Additional comment from  on 2014-04-30 10:07:50 EDT ---

1.11.3-39 also works. Will try to narrow down for you.

--- Additional comment from  on 2014-04-30 10:11:24 EDT ---

1.11.5-2 broke
1.11.5-4 broke
1.11.5-5 broke

It's got to be this change:

* Fri Jan 31 2014 Nalin Dahyabhai <nalin> - 1.11.3-40
- add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)

--- Additional comment from  on 2014-05-27 17:26:35 EDT ---

Any news on this bug? It pretty much renders ksu non-functional.

--- Additional comment from Nalin Dahyabhai on 2014-05-27 17:57:55 EDT ---

I'm planning on digging into this while making revisions per feedback in the upstream pull request; unfortunately there are a few items in other packages which are ahead of it on my schedule.

In the meantime I'm building krb5-1.11.5-6.fc20 with those changes backed out, which will at least works for FILE: caches.  Sorry for the disruption.

--- Additional comment from  on 2014-05-28 08:16:37 EDT ---

Appreciate it. Thank you!

Comment 3 Patrik Kis 2014-11-04 16:03:09 UTC

Hi Nalin,

any hints how to reproduce this issue? I probably miss something.

[root@fed ~]# rpm -q krb5-workstation
krb5-workstation-1.11.5-4.fc20.x86_64
[root@fed ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = PKIS.NET
 #default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 PKIS.NET = {
  kdc = fed.pkis.net
  admin_server = fed.pkis.net
 }

[domain_realm]
 .pkis.net = PKIS.NET
 pkis.net = PKIS.NET
[root@fed ~]# 
[root@fed ~]# cat /home/alice/.k5login 
bob
[root@fed ~]# 
[root@fed ~]# ssh bob@localhost
bob@localhost's password: 
Last login: Tue Nov  4 16:59:31 2014 from localhost
[bob@fed ~]$ 
bob@fed ~]$ kinit bob
Password for bob: 
[bob@fed ~]$ klist 
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: bob

Valid starting       Expires              Service principal
11/04/2014 16:59:52  11/05/2014 16:59:52  krbtgt/PKIS.NET
	renew until 11/04/2014 16:59:52
[bob@fed ~]$ 
[bob@fed ~]$ ksu alice 
Authenticated bob
Account alice: authorization for bob successful
Changing uid to alice (1001)
[alice@fed bob]$

Comment 4 nneul 2014-11-04 16:18:24 UTC

Interesting. I can now no longer reproduce this with the older version of the RPM now either...

Comment 5 Roland Mainz 2014-11-05 11:32:07 UTC

(In reply to nneul from comment #4)
> Interesting. I can now no longer reproduce this with the older version of
> the RPM now either...

Did you use a specific RPM or do you use a repository ?
(Guessing...) maybe the RPM in the repository was updated to a newer version ?

Comment 6 Patrik Kis 2015-01-30 14:12:49 UTC

I managed to reproduced the issue: the trick is to log in via ksu twice. The 2nd login will fail.

Comment 9 errata-xmlrpc 2015-03-05 10:01:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html

Note You need to log in before you can comment on or make changes to this bug.