RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 991184 - Support libkrb5's new kernel keyring based credentials cache
Summary: Support libkrb5's new kernel keyring based credentials cache
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnome-online-accounts
Version: 7.0
Hardware: All
OS: Linux
high
unspecified
Target Milestone: beta
: ---
Assignee: Debarshi Ray
QA Contact: Desktop QE
URL:
Whiteboard:
: 1013697 (view as bug list)
Depends On: 991110
Blocks: 991169
TreeView+ depends on / blocked
 
Reported: 2013-08-01 19:24 UTC by Stephen Gallagher
Modified: 2019-09-06 14:32 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 11:55:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 707402 0 None None None 2019-06-10 18:14:47 UTC
GNOME Bugzilla 710116 0 None None None 2019-06-10 18:14:47 UTC

Description Stephen Gallagher 2013-08-01 19:24:04 UTC 
Description of problem:

A new, kernel-keyring based credential cache is being added to libkrb5 and used by default in RHEL 7.0. See BZ #991110 and #991148 for full details on the interface.
Comment 1 Ray Strode [halfline] 2013-09-03 18:48:38 UTC 
Note this bug depends on getting change notification into the kerberos keyring.  adding bug 991110 as a dependency.  If we don't get that feature we'll have to revert to polling, which is not very nice for power usage and probably unacceptable.
Comment 3 Ray Strode [halfline] 2013-09-11 01:56:55 UTC 
just to post an update here, on the upstream bug I've put a first cut at a patch to fall back to polling.  Clearly, though, we still want the kernel notification api and want to use that api when it's available.  This is just gives us a safety net if schedules don't end up aligning.
Comment 5 Ray Strode [halfline] 2013-09-26 17:17:23 UTC 
testing will require

1) installing updated krb5-libs / sssd packages that enable the kernel keyring support and change user's logins to use that credential cache type by default.

2) running kinit from the command line and seeing if a transient g-o-a identity shows up in control-center online accounts panel for the kinit'd identity

3) running kdestroy from the command line and seeing if control-center notices

4) adding an identity explicitly through control-center, and running kdestroy to see if the identity state gets updated.
Comment 6 Debarshi Ray 2013-11-01 16:37:18 UTC 
*** Bug 1013697 has been marked as a duplicate of this bug. ***
Comment 7 Debarshi Ray 2013-11-01 16:39:03 UTC 
(In reply to Vladimir Benes from comment #4)
> (In reply to Ray Strode [halfline] from comment #3)
> > just to post an update here, on the upstream bug I've put a first cut at a
> > patch to fall back to polling.  Clearly, though, we still want the kernel
> > notification api and want to use that api when it's available.  This is just
> > gives us a safety net if schedules don't end up aligning.
> 
> wanted to provide qack but I am  not sure how to test this. Is turning
> on/off from g-o-a enough for this? Should getting kerberos ticket via g-o-a
> be possible as well? Anything else?

Apart from what Ray already said, if your g-o-a doesn't support using the kernel keyring cache, then you will see a crash like this:

#0 __strcmp_sse42 at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:235
 #1 krb5int_cc_getops at ccbase.c:269
 #2 krb5_cc_new_unique at ccbase.c:302
 #3 get_new_credentials_cache at goakerberosidentitymanager.c:784
 #4 sign_in_identity at goakerberosidentitymanager.c:809
 #5 on_job_scheduled at goakerberosidentitymanager.c:1018
 #6 io_job_thread at gioscheduler.c:89
 #7 g_task_thread_pool_thread at gtask.c:1242
 #9 g_thread_proxy at gthread.c:798
 #11 clone at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Comment 8 Debarshi Ray 2013-11-01 17:25:13 UTC 
I built gnome-online-accounts-3.8.4.1-2.el7 which should support kernel keyring based credentials cache: https://brewweb.devel.redhat.com/taskinfo?taskID=6513976
Comment 10 Ray Strode [halfline] 2013-11-04 17:19:13 UTC 
Note we're still waiting on a kernel notification API to do this without polling (as per comment 1)
Comment 13 Vladimir Benes 2014-03-05 12:10:47 UTC 
used steps from:
https://bugzilla.redhat.com/show_bug.cgi?id=991184#c5

and everything works as expected
Comment 14 Ludek Smid 2014-06-13 11:55:56 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.