Bug 1118347 - ksu non-functional, gets invalid argument copying cred cache
Summary: ksu non-functional, gets invalid argument copying cred cache
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.0
Hardware: All
OS: All
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Patrik Kis
Depends On: 1089035
TreeView+ depends on / blocked
Reported: 2014-07-10 13:19 UTC by Nalin Dahyabhai
Modified: 2015-03-05 10:01 UTC (History)
9 users (show)

Fixed In Version: krb5-1.12.2-8.el7
Doc Type: Bug Fix
Doc Text:
Cause: Due to an bug in a fix included in the previous version of this package, ksu would fail to set up a credential cache for the target user when the value of the default_ccache_name setting configured in /etc/krb5.conf specified a FILE: type credential cache name. Consequence: ksu would fail and would not attempt to run the specified command or the shell as the target user. Fix: This case is now accounted for in the applied fix. Result: ksu should no longer fail in these cases.
Clone Of: 1089035
Last Closed: 2015-03-05 10:01:01 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0439 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 14:38:14 UTC

Description Nalin Dahyabhai 2014-07-10 13:19:31 UTC
+++ This bug was initially created as a clone of Bug #1089035 +++

Description of problem:

ksu: Invalid argument while copying cache /tmp/krb5cc_704669.1 to FILE:/tmp/krb5

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. log in to box either via pw or gssapi forwarding
2. attempt to ksu to another user that has a .k5login set up

Actual results:

-sh-4.2$ ksu aclmgr
Authenticated nneul@MST.EDU
Account aclmgr: authorization for nneul@MST.EDU successful
Changing uid to aclmgr (704669)
ksu: Invalid argument while copying cache /tmp/krb5cc_704669.1 to FILE:/tmp/krb5cc_704669.1

Expected results:

su'd to that user

Additional info:

-sh-4.2$ env | grep KRB5CC

-sh-4.2$ ls -al /tmp/krb5cc_*
-rw------- 1 root   root    4036 Apr 17 12:15 /tmp/krb5cc_0_rFtaPGhCmk
-rw------- 1 nneul  nneul   4036 Apr 17 12:24 /tmp/krb5cc_5879_Pl47qMu0wG
-rw------- 1 nneul  nneul   4036 Apr 17 12:38 /tmp/krb5cc_5879_d59sQTxP3C
-rw------- 1 aclmgr aclmgr 11945 Apr 16 08:51 /tmp/krb5cc_704669.1

--- Additional comment from  on 2014-04-17 13:51:27 EDT ---

selinux is disabled on the box.

--- Additional comment from Balint Cristian on 2014-04-30 09:53:08 EDT ---

* krb5-workstation-1.11.3-33.fc20.x86_64 seems to work fine.

- Can try downgrade and confirm ?
  * http://koji.fedoraproject.org/koji/buildinfo?buildID=479283

--- Additional comment from  on 2014-04-30 10:00:06 EDT ---

Confirmed. 1.11.3-33 does not exhibit the symptom.

--- Additional comment from  on 2014-04-30 10:07:50 EDT ---

1.11.3-39 also works. Will try to narrow down for you.

--- Additional comment from  on 2014-04-30 10:11:24 EDT ---

1.11.5-2 broke
1.11.5-4 broke
1.11.5-5 broke

It's got to be this change:

* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-40
- add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)

--- Additional comment from  on 2014-05-27 17:26:35 EDT ---

Any news on this bug? It pretty much renders ksu non-functional.

--- Additional comment from Nalin Dahyabhai on 2014-05-27 17:57:55 EDT ---

I'm planning on digging into this while making revisions per feedback in the upstream pull request; unfortunately there are a few items in other packages which are ahead of it on my schedule.

In the meantime I'm building krb5-1.11.5-6.fc20 with those changes backed out, which will at least works for FILE: caches.  Sorry for the disruption.

--- Additional comment from  on 2014-05-28 08:16:37 EDT ---

Appreciate it. Thank you!

Comment 3 Patrik Kis 2014-11-04 16:03:09 UTC
Hi Nalin,

any hints how to reproduce this issue? I probably miss something.

[root@fed ~]# rpm -q krb5-workstation
[root@fed ~]# cat /etc/krb5.conf 
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = PKIS.NET
 #default_ccache_name = KEYRING:persistent:%{uid}

  kdc = fed.pkis.net
  admin_server = fed.pkis.net

 .pkis.net = PKIS.NET
 pkis.net = PKIS.NET
[root@fed ~]# 
[root@fed ~]# cat /home/alice/.k5login 
[root@fed ~]# 
[root@fed ~]# ssh bob@localhost
bob@localhost's password: 
Last login: Tue Nov  4 16:59:31 2014 from localhost
[bob@fed ~]$ 
bob@fed ~]$ kinit bob
Password for bob@PKIS.NET: 
[bob@fed ~]$ klist 
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: bob@PKIS.NET

Valid starting       Expires              Service principal
11/04/2014 16:59:52  11/05/2014 16:59:52  krbtgt/PKIS.NET@PKIS.NET
	renew until 11/04/2014 16:59:52
[bob@fed ~]$ 
[bob@fed ~]$ ksu alice 
Authenticated bob@PKIS.NET
Account alice: authorization for bob@PKIS.NET successful
Changing uid to alice (1001)
[alice@fed bob]$

Comment 4 nneul 2014-11-04 16:18:24 UTC
Interesting. I can now no longer reproduce this with the older version of the RPM now either...

Comment 5 Roland Mainz 2014-11-05 11:32:07 UTC
(In reply to nneul from comment #4)
> Interesting. I can now no longer reproduce this with the older version of
> the RPM now either...

Did you use a specific RPM or do you use a repository ?
(Guessing...) maybe the RPM in the repository was updated to a newer version ?

Comment 6 Patrik Kis 2015-01-30 14:12:49 UTC
I managed to reproduced the issue: the trick is to log in via ksu twice. The 2nd login will fail.

Comment 9 errata-xmlrpc 2015-03-05 10:01:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.