Bug 1471144 - msktutil fails when default_ccache_name is KEYRING
Summary: msktutil fails when default_ccache_name is KEYRING
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: msktutil
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Michael Cronenworth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-14 13:59 UTC by Assen Totin
Modified: 2021-09-16 17:28 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-09-16 17:28:06 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Assen Totin 2017-07-14 13:59:08 UTC
Description of problem:
msktutil fails when default_ccache_name in krb5.conf is KEYRING. This cache mode is Linux-specific.

The default default_ccache_name for Kerberos is  FILE, but EL7 ships with a default krb5.conf that sets it to KEYRING:persistent:%{uid}. 

Version-Release number of selected component (if applicable):
0.5.1-2.el7

How reproducible:
Every time

Steps to Reproduce:
1. Configure AD authentication (e.g., via authconfig) without joining the domain itself. Check that /etc/krb5.conf has the line 
default_ccache_name = KEYRING:persistent:%{uid}

2. Install krb5-workstation. Use kinit to obtain a ticket with a user that has domain object creation permission (e.g., as domain Administrator).

3. Use msktutil to create a machine object account and local keytab so that SSH may use GSSAPI to allow passwordless login to authorised domain users. Use verbose mode to observe the error.
msktutil -c --verbose

Actual results:
 -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
 -- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
     default machine password, nor calling user's tickets worked. Try
     "kinit"ing yourself some tickets with permission to create computer
     objects, or pre-creating the computer object in AD and selecting
     'reset account'.

Expected results:
Machine object is successfully created. 

Additional info:
Everything works as expected if the Kerberos cache is set to FILE (even by simply commenting out the default_ccache_name in krb5.conf). However, this is far from obvious... and it is expected that msktutil will work with every cache mode that Kerberos libraries support.

Comment 1 Ken Dreyer 2017-07-16 02:21:45 UTC
Sorry you're experiencing this issue. I've never used msktutil with anything other than a FILE cache.

Have you tried reporting this to msktutil upstream? https://github.com/msktutil/msktutil/issues

Comment 2 Fedora Admin user for bugzilla script actions 2020-09-13 02:51:11 UTC
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 3 Orion Poplawski 2021-09-16 17:28:06 UTC
FWIW - I don't seem to be having any trouble with msktutil 1.1.0 on EL7 with keying caches.  So I'm going to go ahead and close this.  Feel free to reopen if there is still an issue.


Note You need to log in before you can comment on or make changes to this bug.