711416 – During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.

Bug 711416 - During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.

Summary: During the change password operation the ccache is not replaced by a new one ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	748846
TreeView+	depends on / blocked

Reported:	2011-06-07 12:49 UTC by Gowrishankar Rajaiyan
Modified:	2020-05-04 10:21 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sssd-1.5.1-42.el6
Doc Type:	Bug Fix
Doc Text:	Cause: During the login process, SSSD may attempt to create a ccache file for the user if the old ccache file has already expired. The SSH deamon uses different processes with different UIDs for different parts of the login process. Consequence: If a user has logged in some time ago and his password has since expired, SSSD would be unable to switch to a new ccache Fix: SSSD forces removal of the old ccache if the kerberos authentication subprocess returns a special PAM_NEW_AUTHTOK_REQD return code Result: SSSD is able to recreate a ccache file instead of an existing but inactive ccache file for a user logging in via SSH with his password expired
Clone Of:
Clones:	748846 (view as bug list)
Environment:
Last Closed:	2011-12-06 16:38:46 UTC
Target Upstream Version:

Attachments	(Terms of Use)
sssd_domain.log (184.03 KB, text/plain) 2011-06-07 12:53 UTC, Gowrishankar Rajaiyan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 1930	0	None	closed	Remove unused ccache file if password is expired	2020-05-04 10:21:12 UTC
Red Hat Product Errata	RHBA-2011:1529	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2011-12-06 00:50:20 UTC

Description Gowrishankar Rajaiyan 2011-06-07 12:49:48 UTC

Description of problem:
During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.

Version-Release number of selected component (if applicable):
sssd-1.5.1-40.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb uidNumber gidNumber ccacheFile
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
uidNumber: 1866400007
gidNumber: 1866400007
ccacheFile: FILE:/tmp/krb5cc_1866400007_wPJrHJ


[root@bumblebee ~]# ipa user-del shanks
---------------------
Deleted user "shanks"
---------------------
[root@bumblebee ~]# ipa user-add shanks --password
First name: Shanks
Last name: r
Password: 
Enter Password again to verify: 
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: Shanks
  Last name: r
  Full name: Shanks r
  Display name: Shanks r
  Initials: Sr
  Home directory: /home/shanks
  GECOS field: shanks
  Login shell: /bin/sh
  Kerberos principal: shanks.PNQ.REDHAT.COM
  UID: 1866400008
[root@bumblebee ~]# 


[root@bumblebee ~]# ssh -l shanks localhost 
shanks@localhost's password: 
Permission denied, please try again.
shanks@localhost's password: 


(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x1a5bf40

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x1a30bd0

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Destroying timer event 0x1a30bd0 "ltdb_timeout"

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ldb] (9): tevent: Ending timer event 0x1a5bf40 "ltdb_callback"

(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1866400007_wPJrHJ] exists, but is owned by [1866400007] instead of [1866400008].
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>) [Success]
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sending result [4][lab.eng.pnq.redhat.com]
(Tue Jun  7 07:39:18 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Sent result [4][lab.eng.pnq.redhat.com]
(Tue Jun  7 07:39:20 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sbus_dispatch] (9): dbus conn: 1A0E6D0
(Tue Jun  7 07:39:20 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sbus_dispatch] (9): Dispatching.


[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb uidNumber gidNumber ccacheFile
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
ccacheFile: FILE:/tmp/krb5cc_1866400007_wPJrHJ
uidNumber: 1866400008
gidNumber: 1866400008


[root@bumblebee ~]# rm -fvr /tmp/krb5cc_1866400007_wPJrHJ 
removed `/tmp/krb5cc_1866400007_wPJrHJ'

[root@bumblebee ~]# ssh -l shanks localhost 
shanks@localhost's password: 
Password expired. Change your password now.

RHEL6.2-20110512.n.0_nfs-Server-x86_64
Used by: Shanks

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user shanks.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to localhost closed.


 
Actual results:
During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.

[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb uidNumber gidNumber ccacheFile
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
ccacheFile: FILE:/tmp/krb5cc_1866400007_wPJrHJ
uidNumber: 1866400008
gidNumber: 1866400008


[root@bumblebee ~]# ls -l /tmp/krb5cc_1866400007_wPJrHJ 
-rw-------. 1 shanks shanks 604 Jun  7 07:41 /tmp/krb5cc_1866400007_wPJrHJ
[root@bumblebee ~]# 


Expected results:
We should delete ccacheFile attribute from the cache if we detect we don't need to hold one anymore before we continue authentication.
 
Additional info:

Comment 1 Gowrishankar Rajaiyan 2011-06-07 12:53:20 UTC

Created attachment 503475 [details]
sssd_domain.log

# cat /etc/sssd/sssd.conf 
[sssd]
services = nss, pam
config_file_version = 2

domains = lab.eng.pnq.redhat.com
[nss]

[pam]

[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, bumblebee.lab.eng.pnq.redhat.com
debug_level = 9

Comment 3 Sumit Bose 2011-06-08 11:46:16 UTC

There are two issues here:

1.) The uid of a user changed, because the user was deleted and added afterwards with a new uid. Since sssd reuses the same cached object the stored ccache file now belongs to a different user ("Cache file [/tmp/krb5cc_1866400007_wPJrHJ]
exists, but is owned by [1866400007] instead of [1866400008]."). This is tracked upstream in ticket https://fedorahosted.org/sssd/ticket/884 .

2.) Due to the privilege separation ind sshd a ccache file with a random name cannot be recreated if the password is expired during the change password operation. This is tracked upstream in ticket https://fedorahosted.org/sssd/ticket/888 .

Please decide if this ticket needs to be split into two, maybe with different flags.

Comment 4 Stephen Gallagher 2011-06-08 11:57:57 UTC

(In reply to comment #3)
> 2.) Due to the privilege separation ind sshd a ccache file with a random name
> cannot be recreated if the password is expired during the change password
> operation. This is tracked upstream in ticket
> https://fedorahosted.org/sssd/ticket/888 .
Is this the reason why we get "Connection to localhost closed." when changing an expired password through SSH?

> Please decide if this ticket needs to be split into two, maybe with different
> flags.

I think this should be split. I suspect that the expired password issue is a higher priority.

Comment 5 Sumit Bose 2011-06-08 12:24:06 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > 2.) Due to the privilege separation ind sshd a ccache file with a random name
> > cannot be recreated if the password is expired during the change password
> > operation. This is tracked upstream in ticket
> > https://fedorahosted.org/sssd/ticket/888 .
> Is this the reason why we get "Connection to localhost closed." when changing
> an expired password through SSH?
> 

no, afaik this is a "feature" of sshd's privilege separation, if you set 'UsePrivilegeSeparation no' in sshd_config you will be logged in after changing the password.

> > Please decide if this ticket needs to be split into two, maybe with different
> > flags.
> 
> I think this should be split. I suspect that the expired password issue is a
> higher priority.

Comment 6 Dmitri Pal 2011-06-09 13:28:28 UTC

This is BZ for https://fedorahosted.org/sssd/ticket/888

Comment 7 Stephen Gallagher 2011-07-07 12:29:02 UTC

Upstream does not have any plans to resolve https://fedorahosted.org/sssd/ticket/884 at this time.

We will use this Bugzilla to track only the second issue, which relates to removing the old credential cache file during password-change operations.

QE: if you want to track the resolution of the UID/GID change RFE, please open a new BZ.

Comment 10 Kaushik Banerjee 2011-09-08 17:22:22 UTC

Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 49.el6                        Build Date: Mon 29 Aug 2011 08:25:05 PM IST
Install Date: Wed 31 Aug 2011 12:17:23 PM IST      Build Host: x86-004.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-49.el6.src.rpm
Size        : 3669275                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 11 Jakub Hrozek 2011-10-27 16:17:28 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: During the login process, SSSD may attempt to create a ccache file for the user if the old ccache file has already expired. The SSH deamon uses different processes with different UIDs for different parts of the login process.
Consequence: If a user has logged in some time ago and his password has since expired, SSSD would be unable to switch to a new ccache
Fix: SSSD forces removal of the old ccache if the kerberos authentication subprocess returns a special PAM_NEW_AUTHTOK_REQD return code
Result: SSSD is able to recreate a ccache file instead of an existing but inactive ccache file for a user logging in via SSH with his password expired

Comment 12 errata-xmlrpc 2011-12-06 16:38:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html

Note You need to log in before you can comment on or make changes to this bug.