811518 – Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()

Bug 811518 - Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()

Summary: Invalid cache file created when canoning principals during krb5_get_init_cred...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Stephen Gallagher
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-11 10:25 UTC by Stef Walter
Modified:	2020-05-02 16:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-15 00:34:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
If canon'ing principals, write ccache with updated default principal (1.21 KB, patch) 2012-04-11 10:27 UTC, Stef Walter	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2340	0	None	None	None	2020-05-02 16:51:24 UTC
Red Hat Knowledge Base (Solution)	163693	0	None	None	None	Never

Description Stef Walter 2012-04-11 10:25:33 UTC

If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one.

Failure to do this results in errors when LDAP tries to use the credential cache:

[19310] 1334138369.931274: Initializing FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default princ STEF-DESKTOP$@AD.THEWALTER.LAN
[19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN.LAN in FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on [1334174369]
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
[18211] 1334138369.946687: ccselect can't find appropriate cache for server principal ldap/dc.ad.thewalter.lan@
[18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946836: Server has referral realm; starting with ldap/dc.ad.thewalter.lan.LAN
[18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]

This is because the default principal in the credential cache does not match any of the credentials:

[root@stef-desktop data]# klist FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN

Valid starting     Expires            Service principal
04/11/12 12:01:01  04/11/12 22:00:48  krbtgt/AD.THEWALTER.LAN.LAN
	for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12 12:01:01

Note the difference in capitalization.

This bug is present in SSSD git master.

Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code.

Comment 1 Stef Walter 2012-04-11 10:27:58 UTC

Created attachment 576740 [details]
If canon'ing principals, write ccache with updated default principal

 * When calling krb5_get_init_creds_keytab() with
   krb5_get_init_creds_opt_set_canonicalize() the credential
   principal can get updated.
 * Create the cache file with the correct default credential.
 * LDAP GSSAPI SASL would fail due to the mismatched credentials
   before this patch.

Comment 2 Dmitri Pal 2012-04-11 16:15:48 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1298

Comment 3 Stef Walter 2012-05-07 07:39:56 UTC

Fix committed by sgallagh to git master.

Comment 4 Fedora Update System 2012-05-30 19:58:40 UTC

sssd-1.8.4-12.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sssd-1.8.4-12.fc17

Comment 5 Fedora Update System 2012-05-30 20:11:48 UTC

sssd-1.8.4-12.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sssd-1.8.4-12.fc16

Comment 6 Fedora Update System 2012-06-01 17:01:33 UTC

Package sssd-1.8.4-12.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.4-12.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8700/sssd-1.8.4-12.fc16
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-06-15 00:34:44 UTC

sssd-1.8.4-12.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2012-06-15 00:35:11 UTC

sssd-1.8.4-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.