Bug 965574 - Kerberos libraries cannot handle KRB5CCNAME with DIR ccache
Kerberos libraries cannot handle KRB5CCNAME with DIR ccache
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
http://krbdev.mit.edu/rt/Ticket/Displ...
:
Depends On:
Blocks: 965133
  Show dependency treegraph
 
Reported: 2013-05-21 07:30 EDT by Martin Kosek
Modified: 2013-05-25 23:45 EDT (History)
2 users (show)

See Also:
Fixed In Version: krb5-1.11.2-6.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-25 23:45:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2013-05-21 07:30:25 EDT
Description of problem:
When testing DIR CCACHE with FreeIPA in Fedora 19 I cannot make Kerberos auth working when I use DIR CCACHE in KRB5CCNAME attribute. I am not sure what I am doing wrong:

# klist
Ticket cache: DIR::/run/user/0/krb5cc/tktEUNgMM
Default principal: admin@IDM.LAB.BOS.REDHAT.COM

Valid starting       Expires              Service principal
05/20/2013 11:05:09  05/21/2013 11:05:08  krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM
05/20/2013 11:17:37  05/21/2013 11:05:08  ldap/vm-119.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
05/21/2013 06:39:16  05/21/2013 11:05:08  HTTP/vm-119.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM

DIR ccache type works for klist:

# KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM klist -c
Ticket cache: DIR::/run/user/0/krb5cc/tktEUNgMM
Default principal: admin@IDM.LAB.BOS.REDHAT.COM

Valid starting       Expires              Service principal
05/20/2013 11:05:09  05/21/2013 11:05:08  krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM
05/20/2013 11:17:37  05/21/2013 11:05:08  ldap/vm-119.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
05/21/2013 06:39:16  05/21/2013 11:05:08  HTTP/vm-119.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM

But it does not work for other projects:

# KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM ipa user-find
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243)

# KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM ldapsearch -h localhost -Y GSSAPI -b cn=config -s base
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)


I tested it with python-kerberos and I get the same results:

# KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM python
Python 2.7.5 (default, May 16 2013, 13:44:12) 
[GCC 4.8.0 20130412 (Red Hat 4.8.0-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import kerberos
>>> (rc, vc) = kerberos.authGSSClientInit("HTTP@vm-119.idm.lab.bos.redhat.com", kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG)
>>> kerberos.authGSSClientStep(vc, "")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('No Kerberos credentials available', -1765328243))
>>> 

When using FILE type CCACHE for the same code, it works:

# KRB5CCNAME=FILE:/run/user/0/krb5cc/tktEUNgMM python
Python 2.7.5 (default, May 16 2013, 13:44:12) 
[GCC 4.8.0 20130412 (Red Hat 4.8.0-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import kerberos
>>> (rc, vc) = kerberos.authGSSClientInit("HTTP@vm-119.idm.lab.bos.redhat.com", kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG)
>>> kerberos.authGSSClientStep(vc, "")
0
>>> 

Version-Release number of selected component (if applicable):
krb5-devel-1.11.2-5.fc19.x86_64

How reproducible:


Steps to Reproduce:
1. See above
2.
3.

Actual results:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)

Expected results:
DIR CCACHE type can be passed and used in KRB5CCNAME attribute. We construct this type of KRB5CCCAME when Kerberos default_ccache()'s returns type "DIR"

Additional info:
Comment 1 Nalin Dahyabhai 2013-05-21 13:38:16 EDT
It's a subtle difference in the way the library has treated KRB5CCNAME values that look like "DIR:/path/to/dir" from values that look like "DIR::/path/to/file".  A simpler method of checking is to run "klist -A".  We can backport the upstream fix.
Comment 2 Nalin Dahyabhai 2013-05-21 14:32:09 EDT
Note that the upstream fix treats a "DIR::" collection as if it were a "DIR:" collection with only one ccache in it, so for the sake of cases where the user will have multiple TGTs, the better longer-term plan is probably to change whatever's setting KRB5CCNAME to point to the entire directory rather than one component in it.
Comment 3 Fedora Update System 2013-05-21 14:35:13 EDT
krb5-1.11.2-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-8113/krb5-1.11.2-6.fc19
Comment 4 Martin Kosek 2013-05-21 15:07:41 EDT
Thanks Nalin for quick fix!

I can confirm that this updated fixed the issue:

# KRB5CCNAME=DIR::/run/user/0/krb5cc/tktyKSS4u ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1977400000
  GID: 1977400000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

Giving karma+1.
Comment 5 Fedora Update System 2013-05-22 18:40:32 EDT
Package krb5-1.11.2-6.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.11.2-6.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8113/krb5-1.11.2-6.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-05-25 23:45:02 EDT
krb5-1.11.2-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.