RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2088901 - Default GSSAPICleanupCredentials=no eventually results in local_db_check_peruid_number_of_secrets failure in sssd_kcm
Summary: Default GSSAPICleanupCredentials=no eventually results in local_db_check_peru...
Keywords:
Status: CLOSED DUPLICATE of bug 1900973
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.5
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: jstephen
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-21 13:29 UTC by Dan Astoorian
Modified: 2022-06-07 18:39 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-06-07 18:39:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-122685 0 None None None 2022-05-21 13:29:54 UTC

Description Dan Astoorian 2022-05-21 13:29:04 UTC 
Description of problem:
With the default settings of "GSSAPIAuthentication yes" and "GSSAPICleanupCredentials no" in /etc/ssh/sshd_config, credentials delegated via "GSSAPIDelegateCredentials yes" from the SSH client are never cleaned up.  This eventually results in sssd_kcm rejecting logins when the maximum number of secrets is reached for the user.  This in turn results in the user being unable to log in with domain credentials (e.g. to GDM).

Version-Release number of selected component (if applicable):
openssh-8.0p1-10.el8.x86_64
sssd-kcm-2.5.2-2.el8_5.4.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Join machine to a domain and set up GSSAPI authentication for SSH, with KCM enabled
2. From a host with a valid TGT, do 
    for run in {1..66}; do ssh -K myhost /bin/true; done
3. Observe that "klist -A" on the target lists dozens of ticket caches created by these sessions
4. Attempt to log into GDM using the domain credentials on the target host.

Actual results:
GDM login fails; sssd_kcm.log reports "[kcm] [local_db_check_peruid_number_of_secrets] (0x0040): Cannot store any more secrets for this client (basedn cn=NNN,cn=persistent,cn=kcm) as the maximum allowed limit (66) has been reached", and /var/log secure reports "[gdm-password][nnnnnnn]: pam_sss(gdm-password:auth): received for user myuser: 4 (System error)".

Expected results:
User should be able to log in.

Additional info:
When this occurs for a user, "kdestroy -A" can be used to destroy the credentials caches to allow that user to log in again.

The default of "no" of GSSAPICleanupCredentials was a deliberate decision based on Bug 1055016, and was described as a "reasonable workaround" (which is why I've filed this as an openssh bug rather than an sssd-kcm bug); I don't know whether this measure is still needed, but eight years later, one hopes that a better solution might be available.

If changing the default for GSSAPICleanupCredentials back to "yes" is not practical, there are several ways this issue could be mitigated, including:

- raising the maximum number of allowed secrets per user in sssd_kcm to a limit greater than 66 (although this merely delays the inevitable and may have performance implications);

- upon reaching the maximum (or just periodically), deleting tickets that have already expired; or, replacing the oldest secret when the maximum is reached;

- somehow changing the mechanism so that every SSH login with GSSAPIDelegateCredentials=yes does not create a separate credentials cache.

I don't know whether there is a simple way to determine how many secrets sssd_kcm has stored for each user (e.g., to determine whether any users are nearing the limit and at risk for not being able to log in), or if there is an easier method to clear those secrets than running "kdestroy -A" as the affected user, but this information would be helpful in treating the symptom.
Comment 1 Jakub Jelen 2022-05-31 14:59:29 UTC 
I think this is something to sssd kcm to handle. We certainly can not reuse kcm sessions in openssh and if you choose to not cleanup, there is no way we can clean up the credentials in openssh.
Comment 2 jstephen 2022-06-07 18:39:48 UTC 
Duplicate of feature request of KCM BZ 1900973

*** This bug has been marked as a duplicate of bug 1900973 ***
Note You need to log in before you can comment on or make changes to this bug.