1712875 – Old kerberos credentials active instead of valid new ones (kcm)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1712875 - Old kerberos credentials active instead of valid new ones (kcm)

Summary: Old kerberos credentials active instead of valid new ones (kcm)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jakub Hrozek
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-22 11:41 UTC by adam winberg
Modified:	2020-06-23 09:10 UTC (History)
CC List:	14 users (show)
Fixed In Version:	sssd-2.2.0-19.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 22:34:25 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sssd_kcm debug log (6.05 MB, application/gzip) 2019-05-23 05:56 UTC, adam winberg	no flags	Details
sssd.conf (1.20 KB, text/plain) 2019-05-23 06:46 UTC, adam winberg	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3651	0	None	None	None	2019-11-05 22:34:44 UTC

Description adam winberg 2019-05-22 11:41:12 UTC

Description of problem:
After installing RHEL8.0 GA I have noticed on a couple of occasions that I don't have any valid kerberos credentials when i logon. Doing a 'klist' shows that my credential cache contains keys that are expired. Doing a 'klist -A' shows that I have several KCM caches, where on of these contains my new, valid TGT. Problem is that that cache is not active. 

$ klist
Ticket cache: KCM:60483:39355
Default principal: a001329.COM

Valid starting       Expires              Service principal
2019-05-21 14:15:23  2019-05-21 22:53:29  nfs/fsprod30-01.example.com@
  renew until 2019-05-28 12:53:29
2019-05-21 12:53:29  2019-05-21 22:53:29  krbtgt/AD.EXAMPLE.COM.COM
  renew until 2019-05-28 12:53:29
2019-05-21 14:15:23  2019-05-21 22:53:29  nfs/fsprod30-01.example.com.COM
  renew until 2019-05-28 12:53:29

$ klist -A
Ticket cache: KCM:60483:39355
Default principal: a001329.COM

Valid starting       Expires              Service principal
2019-05-21 14:15:23  2019-05-21 22:53:29  nfs/fsprod30-01.example.com@
  renew until 2019-05-28 12:53:29
2019-05-21 12:53:29  2019-05-21 22:53:29  krbtgt/AD.EXAMPLE.COM.COM
  renew until 2019-05-28 12:53:29
2019-05-21 14:15:23  2019-05-21 22:53:29  nfs/fsprod30-01.example.com.COM
  renew until 2019-05-28 12:53:29

Ticket cache: KCM:60483:52158
Default principal: a001329.COM

Valid starting       Expires              Service principal
2019-05-21 10:09:03  2019-05-21 20:09:03  krbtgt/AD.EXAMPLE.COM.COM
  renew until 2019-05-27 10:43:10

Ticket cache: KCM:60483:54061
Default principal: a001329.COM

Valid starting       Expires              Service principal
2019-05-22 11:11:45  2019-05-22 20:52:43  krbtgt/AD.EXAMPLE.COM.COM
  renew until 2019-05-29 10:52:43

Ticket cache: KCM:60483:9594
Default principal: a001329.COM

Valid starting       Expires              Service principal
2019-05-21 12:10:47  2019-05-21 19:41:03  krbtgt/AD.EXAMPLE.COM.COM
  renew until 2019-05-28 05:54:49



Using 'kswitch' to switch to the valid cred cache works. 

Why does not sssd/kcm automatically switch to the valid cred cache?
Why has my credentials expired in the first place, shouldn't SSSD renew them automatically?
Why does not sssd/kcm purge the invalid caches?

Not sure how to reproduce this unfortunately! 

Version-Release number of selected component (if applicable):
sssd-2.0.0-43.el8_0.3.x86_64

How reproducible:
Sometimes

Steps to Reproduce:
1. -
2.
3.

Comment 1 adam winberg 2019-05-22 12:43:34 UTC

oh yeah, and the sssd_kcm process is really hogging the cpu when this occur:

From 'ps':

root      10286 47.5  2.3 199492 41440 ?        Rs   12:01  18:07 /usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files

From 'top':
10286 root      20   0  199492  41440   8312 R  73.7   2.3  18:29.80 sssd_kcm 

Yikes, 73%cpu. 

Restart of sssd-kcm (service and socket) does not fix this, but if I do a 'kdestroy -A' kcm cpu usage normalizes. So KCM also seems upset about the state of my credential caches...

Comment 2 Jakub Hrozek 2019-05-22 13:22:36 UTC

Do you use a graphical session (gnome) or a headless server?

Can you enable KCM debugging and add the sssd logs?

It should be enough to drop a snippet with

[kcm]
debug_level = 8

to /etc/sssd.conf.d/ and restart the kcm service.

Comment 3 adam winberg 2019-05-22 13:27:18 UTC

This is on a headless server. 

I will try to capture a debug output.

Comment 4 adam winberg 2019-05-23 05:55:45 UTC

So the problem appeared again this morning, attaching kcm debug log. I logged in at 05.33.

Interesting thing I noticed this time is that I actually had two valid credential caches (checking with 'klist -A') - one for the session I just started but one other which had a start time from the middle of the night, which I presume is a renewal made by SSSD. Apart from those I hade 3 other caches with expired tickets, which SSSD apparantly has not renewed.

Comment 5 adam winberg 2019-05-23 05:56:30 UTC

Created attachment 1572328 [details]
sssd_kcm debug log

Comment 6 Jakub Hrozek 2019-05-23 06:40:52 UTC

It is an interesting observation with the renewal, can you also attach your sssd.conf? But keep in mind that so far sssd only renews tickets which it acquires itself, meaning only tickets acquired through a PAM login, not tickets acquired through kinit or another operation going through libkrb5 directly.

Comment 7 adam winberg 2019-05-23 06:45:50 UTC

Sure, attaching. 

Regarding renewals I thought that the point of KCM was that SSSD should be able to renew tickets regardless of how they were initiated?

Comment 8 adam winberg 2019-05-23 06:46:10 UTC

Created attachment 1572366 [details]
sssd.conf

Comment 9 Jakub Hrozek 2019-05-23 07:01:40 UTC

(In reply to adam winberg from comment #7)
> Sure, attaching. 
> 
> Regarding renewals I thought that the point of KCM was that SSSD should be
> able to renew tickets regardless of how they were initiated?

Yes, but this bit has not been implemented yet.

Comment 10 adam winberg 2019-05-23 07:35:11 UTC

So at this point, is there any benefit of using kcm Vs just disabling it?

Comment 11 Jakub Hrozek 2019-05-23 07:40:46 UTC

(In reply to adam winberg from comment #10)
> So at this point, is there any benefit of using kcm Vs just disabling it?

Not much, unless you care about sharing ccaches between containers by bind-mounting the socket between containers and/or UID namespacing, also typically for the container case.

Comment 12 adam winberg 2019-05-23 07:48:54 UTC

Ok, interesting. Then I guess I will disable it for now. 

Is there any roadmap for sssd being able to renew tickets 'freely' in RHEL8?

Comment 13 Jakub Hrozek 2019-05-23 07:56:35 UTC

(In reply to adam winberg from comment #12)
> Ok, interesting. Then I guess I will disable it for now. 
> 
> Is there any roadmap for sssd being able to renew tickets 'freely' in RHEL8?

8.1 or 8.2

Comment 14 James Ralston 2019-06-10 00:20:59 UTC

This upstream ticket is the same issue:

https://pagure.io/SSSD/sssd/issue/4017

As I wrote in the upstream ticket, renewing credentials in the cache won't solve this problem.

In a credential cache that supports collections, only one credential can be active. And for both the kernel persistent keyring and KCM, all processes with the same uid share the same credential cache.

This means that creating an additional credential in the cache, in an attempt to avoid overwriting the credential that is already in the cache, is an error. It's meaningless: if you don't make the new credential the active one, then the process that requested the forwarding will not see the credential that it forwarded. If you *do* make it active, then you have switched the credential from every other process running as that user on the system. Effectively, you've overwritten the previous credential.

KCM needs to implement the logic I described in the upstream bug report: if a credential is being forwarded into KCM, and that credential already exists in the cache, then KCM must make a decision whether to keep the existing credential, or overwrite that credential with the credential that is being forwarded. That decision could be an unconditional "always prefer the incoming credential over the preexisting credential", or KCM could be smarter and bias its selection based on the credentials' respective remaining lifetime. But it *must* make a decision.

And there's another good reason to prefer KCM over the kernel persistent keyring for storing credentials: cifs.upcall is completely ignorant of SELinux, and will cheerfully initialize root's kernel persistent keyring credential cache with an SELinux context that will subsequently deny access to rpc.gssd, which runs in the gssd_t context and cannot access kernel keyrings unless they are properly labeled.

This means that if you configure a Linux host to both access Windows SMB shares via the cifs kernel module and access NFSv4 mounts via Kerberized NFSv4, you have to put gssd_t into permissive mode, because if cifs.upcall initializes (or renews) root's credential cache, it will block access to rpc.gssd. Being forced to put a process that is charge of managing security contexts and credentials into permissive mode to avoid SELinux breakage is unpalatable, so say the least.

In contrast, KCM avoids this issue, because KCM manages its keystore itself, in the filesystem, in a file that has correct SELinux labels. That's a compelling advantage over using the kernel persistent keyring, even if you aren't running containers.

Comment 20 Michal Zidek 2019-09-01 23:23:31 UTC

master
        0216bfe - KCM: Fill empty cache, do not initialize a new one
        f5f7f26 - KCM: Allow modifications of ccache's principal
        6b05700 - KCM: Add a forgotten return

Comment 25 errata-xmlrpc 2019-11-05 22:34:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3651

Comment 26 Orion Poplawski 2020-06-01 21:13:54 UTC

It doesn't look like this has been fully addressed upstream.  And I'm still seeing multiple caches and large sssd_kcm cpu usage on Fedora 31 with sssd-kcm-2.2.3-13.fc31.x86_64.

Comment 27 Orion Poplawski 2020-06-01 21:31:39 UTC

See followup bug 1780308

Note You need to log in before you can comment on or make changes to this bug.