Bug 786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc
sssd and kerberos should change the default location for create the Credentia...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On: 851304
Blocks: 786993 796429 796430
  Show dependency treegraph
 
Reported: 2012-02-02 13:36 EST by Daniel Walsh
Modified: 2012-08-31 16:42 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 786993 (view as bug list)
Environment:
Last Closed: 2012-02-28 15:37:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2012-02-02 13:36:35 EST
I know we are late for this as a security feature, but I have been running with this for a while and I think it is the right thing to do.

Change sssd default to put the cc file in /run/user.  If this is accepted we will have to change rpc.gssd to look in this new location.

If you want I will write up a feature page for this.
Comment 1 Stephen Gallagher 2012-02-02 13:54:31 EST
It's probably too late for a feature submission, but can you open a dialog with the rpc.gssd folks about changing this? Find out whether it can be done within the F17 alpha timeframe (read: by Feb 13).
Comment 2 Simo Sorce 2012-02-02 16:47:48 EST
Also remember to change sssd defaults so that the mkstemp() is not used anymore.
In /run/user/username/ there are no races to fear and it will make for a much better experience as the ccache name will not change.
Comment 3 Fedora Update System 2012-02-22 09:41:22 EST
sssd-1.8.0-5.fc17.beta3 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sssd-1.8.0-5.fc17.beta3
Comment 4 Fedora Update System 2012-02-22 12:45:42 EST
Package sssd-1.8.0-5.fc17.beta3:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-02-23 17:28:46 EST
Package sssd-1.8.0-5.fc17.beta3.1:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3.1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3.1
then log in and leave karma (feedback).
Comment 6 Nalin Dahyabhai 2012-08-23 12:46:08 EDT
In testing, it looks like steved's getting KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be found by patches I've sent to the cifs-utils and nfs-utils maintainers.  The sssd-krb5 man page doesn't indicate that this was changed, either.  Should I reopen this, or open a new bug to correct these?
Comment 7 Jakub Hrozek 2012-08-23 13:01:54 EDT
(In reply to comment #6)
> In testing, it looks like steved's getting
> KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be
> found by patches I've sent to the cifs-utils and nfs-utils maintainers.

The feature page[1] says it's supposed to be /run/user/$UID/krb5cc so we should just s/ccdir/krb5cc/ right?

> The
> sssd-krb5 man page doesn't indicate that this was changed, either.  Should I
> reopen this, or open a new bug to correct these?

The default in the SSSD code is still FILE:/tmp/, mostly for cross-distribution and backwards compatibility. We rather override the SSSD default at configure time to current "DIR:/run/user/${UID}/ccdir". We should have also patched the man page to include the configured default instead of the upstream.

Can you open a new bug, please? I'll fix both the default and patch the man page.

[1] https://fedoraproject.org/wiki/Features/KRB5DirCache
Comment 8 Nalin Dahyabhai 2012-08-23 14:09:27 EDT
(In reply to comment #7)
> (In reply to comment #6)
> > In testing, it looks like steved's getting
> > KRB5CCNAME="DIR:/run/user/${UID}/ccdir" instead, which isn't going to be
> > found by patches I've sent to the cifs-utils and nfs-utils maintainers.
> 
> The feature page[1] says it's supposed to be /run/user/$UID/krb5cc so we
> should just s/ccdir/krb5cc/ right?

Looks like, yes.  Come to think of it, I expect SSSD was updated when the feature page said to do what SSSD is doing now (we changed the recommended setting a couple of weeks ago) so that's understandable.

> > The
> > sssd-krb5 man page doesn't indicate that this was changed, either.  Should I
> > reopen this, or open a new bug to correct these?
> 
> The default in the SSSD code is still FILE:/tmp/, mostly for
> cross-distribution and backwards compatibility. We rather override the SSSD
> default at configure time to current "DIR:/run/user/${UID}/ccdir". We should
> have also patched the man page to include the configured default instead of
> the upstream.
> 
> Can you open a new bug, please? I'll fix both the default and patch the man
> page.

Sure.  Filed as bug #851304.  Thanks!
Comment 9 John Florian 2012-08-31 13:53:33 EDT
I've looked at a bunch of related BZs and I'm not sure where this should go, here or elsewhere or a new ticket, but ...

I have a Fedora 18 host where sudo is failing with this (and more, but I believe these are the most relevant messages):

==> /var/log/messages <==
Aug 31 13:39:29 test-host [sssd[krb5_child[10593]]]: Credential cache directory /run/user/10325/ccdir does not exist

==> /var/log/secure <==
Aug 31 13:39:29 test-host sudo: pam_sss(sudo:auth): system info: [Credential cache directory /run/user/10325/ccdir does not exist]


This host has been configured with LDAP for identities and Kerberos for authentication.  Sudo has been configured to test for group membership where the requisite group is in LDAP (along with the user IDs).  Is this still on the TODO list for the feature or has something been overlooked possibly?
Comment 10 Jakub Hrozek 2012-08-31 16:09:15 EDT
(In reply to comment #9)
> I've looked at a bunch of related BZs and I'm not sure where this should go,
> here or elsewhere or a new ticket, but ...
> 
> I have a Fedora 18 host where sudo is failing with this (and more, but I
> believe these are the most relevant messages):
> 
> ==> /var/log/messages <==
> Aug 31 13:39:29 test-host [sssd[krb5_child[10593]]]: Credential cache
> directory /run/user/10325/ccdir does not exist
> 
> ==> /var/log/secure <==
> Aug 31 13:39:29 test-host sudo: pam_sss(sudo:auth): system info: [Credential
> cache directory /run/user/10325/ccdir does not exist]
> 
> 
> This host has been configured with LDAP for identities and Kerberos for
> authentication.  Sudo has been configured to test for group membership where
> the requisite group is in LDAP (along with the user IDs).  Is this still on
> the TODO list for the feature or has something been overlooked possibly?

John, please open a new bug against the SSSD.

Also please raise the debug level of the SSSD in the [domain] section to 8, restart the SSSD and then re-run the case. Then attache the contents of (sanitized) /var/log/sssd/sssd_$domainname.log.

Is the UID of your user 10325?

Are there any AVC denials in the syslog or audit.log?

Thank you!
Comment 11 John Florian 2012-08-31 16:17:04 EDT
New bug to follow.  Yes I'm UID 10325 and there were no AVC denials.
Comment 12 Jakub Hrozek 2012-08-31 16:25:38 EDT
(In reply to comment #11)
> New bug to follow.  Yes I'm UID 10325 and there were no AVC denials.

Thanks you! Can you please also include the full version of the sssd, all krb5-\* packages and systemd?
Comment 13 John Florian 2012-08-31 16:42:20 EDT
My issue now tracked at new bug #853558.

Note You need to log in before you can comment on or make changes to this bug.