Bug 507984 - In the absence of KRB5CCNAME, use default credentials cache, like kinit
In the absence of KRB5CCNAME, use default credentials cache, like kinit
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-24 20:30 EDT by Bojan Smojver
Modified: 2009-06-29 13:49 EDT (History)
1 user (show)

See Also:
Fixed In Version: 2.3.7-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-26 17:38:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Set default ccname in the absence of KRB5CCNAME env variable (968 bytes, patch)
2009-06-24 20:30 EDT, Bojan Smojver
no flags Details | Diff
Set default ccname in the absence of KRB5CCNAME env variable (960 bytes, patch)
2009-06-24 20:52 EDT, Bojan Smojver
no flags Details | Diff
Set default ccname in the absence of KRB5CCNAME env variable (1019 bytes, patch)
2009-06-24 23:25 EDT, Bojan Smojver
no flags Details | Diff
Set default ccname in the absence of KRB5CCNAME env variable (1021 bytes, patch)
2009-06-25 04:01 EDT, Bojan Smojver
no flags Details | Diff
Set default ccname in the absence of KRB5CCNAME env variable (1.03 KB, patch)
2009-06-25 05:25 EDT, Bojan Smojver
no flags Details | Diff
Set default ccname in the absence of KRB5CCNAME env variable (2.62 KB, patch)
2009-06-25 21:54 EDT, Bojan Smojver
no flags Details | Diff
Set default ccname in the absence of KRB5CCNAME env variable (2.77 KB, patch)
2009-06-25 23:05 EDT, Bojan Smojver
no flags Details | Diff
patch to use krb5_cc_default_name() and do similar things for v4 tickets (2.97 KB, patch)
2009-06-26 17:19 EDT, Nalin Dahyabhai
no flags Details | Diff

  None (edit)
Description Bojan Smojver 2009-06-24 20:30:20 EDT
Created attachment 349319 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Description of problem:
PAM_REINITIALIZE_CRED only obeys the environment variable, but this variable may not be set. In that case, it should try default credentials cache, as specified in kinit manual page.

Version-Release number of selected component (if applicable):
2.3.6-1.fc12

How reproducible:
Always.

Steps to Reproduce:
1. Run src/harness --auth --setcred-reinitialize without KRB5CCNAME in the env.
  
Actual results:
Does not reissue the TGT.

Expected results:
Should reissue the TGT, if we have default CC.

Additional info:
May be related to bug #187485.
Comment 1 Bojan Smojver 2009-06-24 20:52:05 EDT
Created attachment 349321 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Correct the comment.
Comment 2 Bojan Smojver 2009-06-24 23:25:50 EDT
Created attachment 349327 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Add debugging code.
Comment 3 Bojan Smojver 2009-06-25 04:01:03 EDT
Created attachment 349355 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Use PATH_MAX for the size of the ccname. Use snprintf() instead of sprintf().
Comment 4 Bojan Smojver 2009-06-25 05:25:20 EDT
Created attachment 349364 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Although previous patches worked, it seems that the code differentiates between v5ccname and v5filename. So, this patch follows that rule.
Comment 5 Bojan Smojver 2009-06-25 21:54:15 EDT
Created attachment 349495 [details]
Set default ccname in the absence of KRB5CCNAME env variable

This patch improves a bit on the logic of the default ccname when reinitialising, by removing some unnecessary ifs.

However, the main change is that we now obey KRB5CCNAME in establish, if it exists in the environment. With this, src/harness --auth --establish actually issues the ticket specified in KRB5CCNAME. This is useful in situation where this environment variable is pre-set by an administrator.
Comment 6 Bojan Smojver 2009-06-25 23:05:37 EDT
Created attachment 349503 [details]
Set default ccname in the absence of KRB5CCNAME env variable

Use unsigned types for printing uid_t.
Comment 7 Nalin Dahyabhai 2009-06-26 13:29:56 EDT
(In reply to comment #5)
> Created an attachment (id=349495) [details]
> Set default ccname in the absence of KRB5CCNAME env variable

Better to use the krb5_cc_default_name() function for this, as it's what the libraries do.

> However, the main change is that we now obey KRB5CCNAME in establish, if it
> exists in the environment. With this, src/harness --auth --establish actually
> issues the ticket specified in KRB5CCNAME. This is useful in situation where
> this environment variable is pre-set by an administrator.  

Um, no.  That would overwrite my ccache irreversibly if I were to su to another user using pam_krb5, and if I'm reading the patch right, delete it when the su session was closed.
Comment 8 Nalin Dahyabhai 2009-06-26 17:19:32 EDT
Created attachment 349610 [details]
patch to use krb5_cc_default_name() and do similar things for v4 tickets
Comment 9 Bojan Smojver 2009-06-26 19:01:23 EDT
Thanks. Not being too familiar with the code, I was just stumbling along there :-)
Comment 10 Nalin Dahyabhai 2009-06-29 13:49:23 EDT
No problem, and thanks for taking a stab at it regardless.

Note You need to log in before you can comment on or make changes to this bug.