This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 811518 - Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()
Invalid cache file created when canoning principals during krb5_get_init_cred...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-11 06:25 EDT by Stef Walter
Modified: 2013-07-04 08:51 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-14 20:34:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
If canon'ing principals, write ccache with updated default principal (1.21 KB, patch)
2012-04-11 06:27 EDT, Stef Walter
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 163693 None None None Never

  None (edit)
Description Stef Walter 2012-04-11 06:25:33 EDT
If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one.

Failure to do this results in errors when LDAP tries to use the credential cache:

[19310] 1334138369.931274: Initializing FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default princ STEF-DESKTOP$@AD.THEWALTER.LAN
[19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN in FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on [1334174369]
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
[18211] 1334138369.946687: ccselect can't find appropriate cache for server principal ldap/dc.ad.thewalter.lan@
[18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946836: Server has referral realm; starting with ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN
[18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
[18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]

This is because the default principal in the credential cache does not match any of the credentials:

[root@stef-desktop data]# klist FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN

Valid starting     Expires            Service principal
04/11/12 12:01:01  04/11/12 22:00:48  krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN
	for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12 12:01:01

Note the difference in capitalization.

This bug is present in SSSD git master.

Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code.
Comment 1 Stef Walter 2012-04-11 06:27:58 EDT
Created attachment 576740 [details]
If canon'ing principals, write ccache with updated default principal

 * When calling krb5_get_init_creds_keytab() with
   krb5_get_init_creds_opt_set_canonicalize() the credential
   principal can get updated.
 * Create the cache file with the correct default credential.
 * LDAP GSSAPI SASL would fail due to the mismatched credentials
   before this patch.
Comment 2 Dmitri Pal 2012-04-11 12:15:48 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1298
Comment 3 Stef Walter 2012-05-07 03:39:56 EDT
Fix committed by sgallagh to git master.
Comment 4 Fedora Update System 2012-05-30 15:58:40 EDT
sssd-1.8.4-12.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sssd-1.8.4-12.fc17
Comment 5 Fedora Update System 2012-05-30 16:11:48 EDT
sssd-1.8.4-12.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sssd-1.8.4-12.fc16
Comment 6 Fedora Update System 2012-06-01 13:01:33 EDT
Package sssd-1.8.4-12.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.4-12.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8700/sssd-1.8.4-12.fc16
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-06-14 20:34:44 EDT
sssd-1.8.4-12.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-14 20:35:11 EDT
sssd-1.8.4-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.