I know we are late for this as a security feature, but I have been running with this for a while and I think it is the right thing to do. Change sssd default to put the cc file in /run/user. If this is accepted we will have to change rpc.gssd to look in this new location. If you want I will write up a feature page for this.
It's probably too late for a feature submission, but can you open a dialog with the rpc.gssd folks about changing this? Find out whether it can be done within the F17 alpha timeframe (read: by Feb 13).
Also remember to change sssd defaults so that the mkstemp() is not used anymore. In /run/user/username/ there are no races to fear and it will make for a much better experience as the ccache name will not change.
sssd-1.8.0-5.fc17.beta3 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sssd-1.8.0-5.fc17.beta3
Package sssd-1.8.0-5.fc17.beta3: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3 then log in and leave karma (feedback).
Package sssd-1.8.0-5.fc17.beta3.1: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3.1' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3.1 then log in and leave karma (feedback).
In testing, it looks like steved's getting KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be found by patches I've sent to the cifs-utils and nfs-utils maintainers. The sssd-krb5 man page doesn't indicate that this was changed, either. Should I reopen this, or open a new bug to correct these?
(In reply to comment #6) > In testing, it looks like steved's getting > KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be > found by patches I've sent to the cifs-utils and nfs-utils maintainers. The feature page[1] says it's supposed to be /run/user/$UID/krb5cc so we should just s/ccdir/krb5cc/ right? > The > sssd-krb5 man page doesn't indicate that this was changed, either. Should I > reopen this, or open a new bug to correct these? The default in the SSSD code is still FILE:/tmp/, mostly for cross-distribution and backwards compatibility. We rather override the SSSD default at configure time to current "DIR:/run/user/${UID}/ccdir". We should have also patched the man page to include the configured default instead of the upstream. Can you open a new bug, please? I'll fix both the default and patch the man page. [1] https://fedoraproject.org/wiki/Features/KRB5DirCache
(In reply to comment #7) > (In reply to comment #6) > > In testing, it looks like steved's getting > > KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be > > found by patches I've sent to the cifs-utils and nfs-utils maintainers. > > The feature page[1] says it's supposed to be /run/user/$UID/krb5cc so we > should just s/ccdir/krb5cc/ right? Looks like, yes. Come to think of it, I expect SSSD was updated when the feature page said to do what SSSD is doing now (we changed the recommended setting a couple of weeks ago) so that's understandable. > > The > > sssd-krb5 man page doesn't indicate that this was changed, either. Should I > > reopen this, or open a new bug to correct these? > > The default in the SSSD code is still FILE:/tmp/, mostly for > cross-distribution and backwards compatibility. We rather override the SSSD > default at configure time to current "DIR:/run/user/${UID}/ccdir". We should > have also patched the man page to include the configured default instead of > the upstream. > > Can you open a new bug, please? I'll fix both the default and patch the man > page. Sure. Filed as bug #851304. Thanks!
I've looked at a bunch of related BZs and I'm not sure where this should go, here or elsewhere or a new ticket, but ... I have a Fedora 18 host where sudo is failing with this (and more, but I believe these are the most relevant messages): ==> /var/log/messages <== Aug 31 13:39:29 test-host [sssd[krb5_child[10593]]]: Credential cache directory /run/user/10325/ccdir does not exist ==> /var/log/secure <== Aug 31 13:39:29 test-host sudo: pam_sss(sudo:auth): system info: [Credential cache directory /run/user/10325/ccdir does not exist] This host has been configured with LDAP for identities and Kerberos for authentication. Sudo has been configured to test for group membership where the requisite group is in LDAP (along with the user IDs). Is this still on the TODO list for the feature or has something been overlooked possibly?
(In reply to comment #9) > I've looked at a bunch of related BZs and I'm not sure where this should go, > here or elsewhere or a new ticket, but ... > > I have a Fedora 18 host where sudo is failing with this (and more, but I > believe these are the most relevant messages): > > ==> /var/log/messages <== > Aug 31 13:39:29 test-host [sssd[krb5_child[10593]]]: Credential cache > directory /run/user/10325/ccdir does not exist > > ==> /var/log/secure <== > Aug 31 13:39:29 test-host sudo: pam_sss(sudo:auth): system info: [Credential > cache directory /run/user/10325/ccdir does not exist] > > > This host has been configured with LDAP for identities and Kerberos for > authentication. Sudo has been configured to test for group membership where > the requisite group is in LDAP (along with the user IDs). Is this still on > the TODO list for the feature or has something been overlooked possibly? John, please open a new bug against the SSSD. Also please raise the debug level of the SSSD in the [domain] section to 8, restart the SSSD and then re-run the case. Then attache the contents of (sanitized) /var/log/sssd/sssd_$domainname.log. Is the UID of your user 10325? Are there any AVC denials in the syslog or audit.log? Thank you!
New bug to follow. Yes I'm UID 10325 and there were no AVC denials.
(In reply to comment #11) > New bug to follow. Yes I'm UID 10325 and there were no AVC denials. Thanks you! Can you please also include the full version of the sssd, all krb5-\* packages and systemd?
My issue now tracked at new bug #853558.