1724460 – gssproxy overwrites user Kerberos cache

Bug 1724460 - gssproxy overwrites user Kerberos cache

Summary: gssproxy overwrites user Kerberos cache

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	gssproxy
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Robbie Harwood
QA Contact:	anuja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-27 07:17 UTC by Ondrej
Modified:	2019-07-12 16:37 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-12 16:37:20 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ondrej 2019-06-27 07:17:19 UTC

Description of problem:
Machine is joined to AD domain using realmd tool so hence /etc/krb5.keytab is populated.
I login to the machine using my AD credentials (i.e. using Kerberos), but when 'klist' command shows my personal Kerberos cache only contains machine credentials:

[victim@skynet19 gssproxy]$ klist -A
Ticket cache: FILE:/tmp/krb5cc_1099_XW1psVw
Default principal: SKYNET19$@MYDOMAIN.COM

Valid starting     Expires            Service principal
31/12/69 19:00:00  31/12/69 19:00:00  Encrypted/Credentials/v1@X-GSSPROXY:

Actual results:

User Kerberos cache populated with machine principals

Expected results:

User Kerberos cache contains user Kerberos principals

Additional info:

Comment 1 Robbie Harwood 2019-06-27 17:14:49 UTC

You have changed the default ccache type to FILE.  FILE has a number of limitations, one of which you are encountering here (that there can only be one principal; that is, the cache is not a collection type.)  You would get similar behavior out of FILE if you were to kinit as one user, then kinit a second.  (i.e., you would see only the second user's TGT.)

We recommend KEYRING or KCM be used for credential caches where possible because they do not have this issue.  In cases where files on disk are needed for some reason, DIR can provide this while still being a collection type.

You can find more information about this in Kerberos documentation on your machine, or in the online version of the docs https://web.mit.edu/kerberos/krb5-latest/doc/basic/ccache_def.html#collections-of-caches

Comment 2 Ondrej 2019-07-09 12:48:07 UTC

Right, I did not spot the FILE ccache. So it must have been the Nomachine (www.nomachine.com) bug then - looks like they ignore /etc/krb5.conf.
BTW I still see this behavior using kernel keyring, but it only happens with root account:
1. I login to machine as root (local account)
2. kinit <some_user>
3. after some time "klist -A" also displays the machine principal (SKYNET19$ in this case)

But I am not sure if it is a bug or feature. For sure it only happens if gssproxy service is running.
Can you clarify?

Comment 3 Robbie Harwood 2019-07-09 19:56:07 UTC

Are you asking if it's intentional that multiple ccaches be present in a ccache collection?  If so, the answer is yes.

Comment 4 Ondrej 2019-07-09 19:59:30 UTC

no, 
I am asking if it is intentional for gssproxy to populate root's Kerberos ccache collection with machine principals.

Comment 5 Robbie Harwood 2019-07-10 18:40:24 UTC

Yes - the application using the credentials hasn't requested a different ccache, so they end up in this one.

Comment 6 Ondrej 2019-07-12 08:53:48 UTC

Ok, thanks for the feedback, feel free to close this BZ

Note You need to log in before you can comment on or make changes to this bug.