Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1118347 - ksu non-functional, gets invalid argument copying cred cache
ksu non-functional, gets invalid argument copying cred cache
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
7.0
All All
unspecified Severity unspecified
: rc
: ---
Assigned To: Nalin Dahyabhai
Patrik Kis
:
Depends On: 1089035
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-10 09:19 EDT by Nalin Dahyabhai
Modified: 2015-03-05 05:01 EST (History)
9 users (show)

See Also:
Fixed In Version: krb5-1.12.2-8.el7
Doc Type: Bug Fix
Doc Text:
Cause: Due to an bug in a fix included in the previous version of this package, ksu would fail to set up a credential cache for the target user when the value of the default_ccache_name setting configured in /etc/krb5.conf specified a FILE: type credential cache name. Consequence: ksu would fail and would not attempt to run the specified command or the shell as the target user. Fix: This case is now accounted for in the applied fix. Result: ksu should no longer fail in these cases.
Story Points: ---
Clone Of: 1089035
Environment:
Last Closed: 2015-03-05 05:01:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0439 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 09:38:14 EST

  None (edit)
Description Nalin Dahyabhai 2014-07-10 09:19:31 EDT 
+++ This bug was initially created as a clone of Bug #1089035 +++

Description of problem:

ksu: Invalid argument while copying cache /tmp/krb5cc_704669.1 to FILE:/tmp/krb5

Version-Release number of selected component (if applicable):

krb5-workstation-1.11.5-4.fc20.x86_64


How reproducible:

100%

Steps to Reproduce:
1. log in to box either via pw or gssapi forwarding
2. attempt to ksu to another user that has a .k5login set up

Actual results:

-sh-4.2$ ksu aclmgr
Authenticated nneul@MST.EDU
Account aclmgr: authorization for nneul@MST.EDU successful
Changing uid to aclmgr (704669)
ksu: Invalid argument while copying cache /tmp/krb5cc_704669.1 to FILE:/tmp/krb5cc_704669.1

Expected results:

su'd to that user


Additional info:

-sh-4.2$ env | grep KRB5CC
KRB5CCNAME=FILE:/tmp/krb5cc_5879_Pl47qMu0wG

-sh-4.2$ ls -al /tmp/krb5cc_*
-rw------- 1 root   root    4036 Apr 17 12:15 /tmp/krb5cc_0_rFtaPGhCmk
-rw------- 1 nneul  nneul   4036 Apr 17 12:24 /tmp/krb5cc_5879_Pl47qMu0wG
-rw------- 1 nneul  nneul   4036 Apr 17 12:38 /tmp/krb5cc_5879_d59sQTxP3C
-rw------- 1 aclmgr aclmgr 11945 Apr 16 08:51 /tmp/krb5cc_704669.1

--- Additional comment from  on 2014-04-17 13:51:27 EDT ---

selinux is disabled on the box.

--- Additional comment from Balint Cristian on 2014-04-30 09:53:08 EDT ---


* krb5-workstation-1.11.3-33.fc20.x86_64 seems to work fine.

- Can try downgrade and confirm ?
  * http://koji.fedoraproject.org/koji/buildinfo?buildID=479283

--- Additional comment from  on 2014-04-30 10:00:06 EDT ---

Confirmed. 1.11.3-33 does not exhibit the symptom.

--- Additional comment from  on 2014-04-30 10:07:50 EDT ---

1.11.3-39 also works. Will try to narrow down for you.

--- Additional comment from  on 2014-04-30 10:11:24 EDT ---

1.11.5-2 broke
1.11.5-4 broke
1.11.5-5 broke

It's got to be this change:

* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-40
- add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)

--- Additional comment from  on 2014-05-27 17:26:35 EDT ---

Any news on this bug? It pretty much renders ksu non-functional.

--- Additional comment from Nalin Dahyabhai on 2014-05-27 17:57:55 EDT ---

I'm planning on digging into this while making revisions per feedback in the upstream pull request; unfortunately there are a few items in other packages which are ahead of it on my schedule.

In the meantime I'm building krb5-1.11.5-6.fc20 with those changes backed out, which will at least works for FILE: caches.  Sorry for the disruption.

--- Additional comment from  on 2014-05-28 08:16:37 EDT ---

Appreciate it. Thank you!
Comment 3 Patrik Kis 2014-11-04 11:03:09 EST 
Hi Nalin,

any hints how to reproduce this issue? I probably miss something.

[root@fed ~]# rpm -q krb5-workstation
krb5-workstation-1.11.5-4.fc20.x86_64
[root@fed ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = PKIS.NET
 #default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 PKIS.NET = {
  kdc = fed.pkis.net
  admin_server = fed.pkis.net
 }

[domain_realm]
 .pkis.net = PKIS.NET
 pkis.net = PKIS.NET
[root@fed ~]# 
[root@fed ~]# cat /home/alice/.k5login 
bob@PKIS.NET
[root@fed ~]# 
[root@fed ~]# ssh bob@localhost
bob@localhost's password: 
Last login: Tue Nov  4 16:59:31 2014 from localhost
[bob@fed ~]$ 
bob@fed ~]$ kinit bob
Password for bob@PKIS.NET: 
[bob@fed ~]$ klist 
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: bob@PKIS.NET

Valid starting       Expires              Service principal
11/04/2014 16:59:52  11/05/2014 16:59:52  krbtgt/PKIS.NET@PKIS.NET
	renew until 11/04/2014 16:59:52
[bob@fed ~]$ 
[bob@fed ~]$ ksu alice 
Authenticated bob@PKIS.NET
Account alice: authorization for bob@PKIS.NET successful
Changing uid to alice (1001)
[alice@fed bob]$
Comment 4 nneul 2014-11-04 11:18:24 EST 
Interesting. I can now no longer reproduce this with the older version of the RPM now either...
Comment 5 Roland Mainz 2014-11-05 06:32:07 EST 
(In reply to nneul from comment #4)
> Interesting. I can now no longer reproduce this with the older version of
> the RPM now either...

Did you use a specific RPM or do you use a repository ?
(Guessing...) maybe the RPM in the repository was updated to a newer version ?
Comment 6 Patrik Kis 2015-01-30 09:12:49 EST 
I managed to reproduced the issue: the trick is to log in via ksu twice. The 2nd login will fail.
Comment 9 errata-xmlrpc 2015-03-05 05:01:01 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.