405711 – Stale Kerberos tickets did not removed duning reboot

Bug 405711 - Stale Kerberos tickets did not removed duning reboot

Summary: Stale Kerberos tickets did not removed duning reboot

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nfs-utils
Sub Component:
Version:	5.0
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Steve Dickson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	431623 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-30 09:56 UTC by Andrew Martynov
Modified:	2008-09-18 20:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-18 20:12:43 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andrew Martynov 2007-11-30 09:56:01 UTC

Description of problem:
rc.sysinit did not remove stale krb5 tickets used by pam_krb5 and NFS4
(rpcsvcgdd) - files /tmp/rkb5cc_*

Version-Release number of selected component (if applicable):
initscripts-8.45.17.EL-1

How reproducible:
Always if krb5 credentials cache has expired ticket

Steps to Reproduce:
1. Configure krb5 support
2. Setup NFS4 ( SECURE_NFS=yes in /etc/sysconfig/nfs )
3. use kinit to obtain tickets in local credential cache /tmp/krb5cc_<UID> or
/tmp/krb5cc_<UID>_<RANDOM>
4. Wait 24 hours to make ticked expired
5. Reboot server
6. try to access NFS4 mount 
7. run tail /var/log/message
8. look at message that rpcgssd service can not work with stale Kerberos ticket
in /tmp/krb5cc_<UID>_<RANDOM> file, while /tmp/krb5cc_<UID> has correct renewed
ticket
  
Actual results:
rpcsvcgssd did not allow user to access NFS4 share

Expected results:
rpcsvcgssd use correct krb5 ticked to allow access

Additional info:
I suppose that it is not big problem to remove all stale and active caches for
users during reboot, because users will be authenticated one more time on login
in any case.

Comment 1 Bill Nottingham 2007-11-30 16:22:02 UTC

Tickets can expire at any time, not just between reboots. I'm not seeing why
this is an initscripts issue rather than a rpcsvcgssd issue.

Comment 2 Steve Dickson 2007-12-17 13:30:11 UTC

Kevin,

Any ideas how this should work? Actually I thought it already did...

Comment 3 Andrew Martynov 2007-12-17 13:44:28 UTC

Usually, if kerberos ticket is going to expire soon on running system
krb5-auth-dialog ask user to enter password to renew ticket.

In my situation I have two caches: /tmp/krb5cc_<UID> with valid ticket and
/tmp/krb5cc_<UID>_<RANDOM> with expired one.

After reboot rpcsvcgssd use cache in file /tmp/krb5cc_<UID>_<RANDOM> with wrong
ticket, but kinit use /tmp/krb5cc_<UID> to store valid ticket.

So we need to force rpcsvcgssd use correct cache file (or all cache variants) or
we need to force deletion stale ticked from caches.

Unfortunally I did not familiar with method of naming KRB5 tichet cache files,
so I did not see any option to avoid conflict in caches.

Comment 4 Kevin Coffman 2007-12-17 15:04:00 UTC

(In reply to comment #2)
> Kevin,
> 
> Any ideas how this should work? Actually I thought it already did...

rpc.gssd has no clue which credentials cache (ccache) to use.  Depending on the
exact version, it uses name or ownership of the ccache files.  If there are
multiple matching caches based on name or ownership, gssd tries to use the
ccache with the latest mtime.

Userland code uses an environment variable (KRB5CCNAME) to determine which
ccache to use.  (A default name is used if the environment variable is not set.)
 This information is not available for the kernel to pass up to gssd, so gssd
must make an educated guess about which ccache to use.

Removing expired ccaches could be a workaround, but as pointed out, it is not
something that can just be run at startup since ccaches can expire at any time.
 I'm not sure of the side-effects of having a daemon running that removes
expired credentials caches.

Comment 5 Kevin Coffman 2007-12-17 15:10:47 UTC

(In reply to comment #3)
> Usually, if kerberos ticket is going to expire soon on running system
> krb5-auth-dialog ask user to enter password to renew ticket.
> 
> In my situation I have two caches: /tmp/krb5cc_<UID> with valid ticket and
> /tmp/krb5cc_<UID>_<RANDOM> with expired one.
> 
> After reboot rpcsvcgssd use cache in file /tmp/krb5cc_<UID>_<RANDOM> with wrong
> ticket, but kinit use /tmp/krb5cc_<UID> to store valid ticket.
> 
> So we need to force rpcsvcgssd use correct cache file (or all cache variants) or
> we need to force deletion stale ticked from caches.
> 
> Unfortunally I did not familiar with method of naming KRB5 tichet cache files,
> so I did not see any option to avoid conflict in caches.

If the KRB5CCNAME is not set, /tmp/krb5cc_<UID> is the default name used. 
Normally KRB5CCNAME is set by the PAM module and/or sshd to add "_<random>".  As
I noted, this information is not available for the kernel to pass up to gssd, so
gssd must use the information it has (only a UID) to try to find credentials to use.

Comment 6 RHEL Program Management 2008-06-02 20:27:35 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 7 Steve Dickson 2008-09-18 20:12:43 UTC

So setting KRB5CCNAME should take care of this issue... So I'm going to close as not a bug... if this is not the case please feel free to reopen this.

Comment 8 Steve Dickson 2008-09-18 20:15:36 UTC

*** Bug 431623 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.