If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one.
Failure to do this results in errors when LDAP tries to use the credential cache:
[19310] 1334138369.931274: Initializing FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default principal STEF-DESKTOP$@AD.THEWALTER.LAN [19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN in FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on [1334174369] (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [18211] 1334138369.946687: ccselect can't find appropriate cache for server principal ldap/dc.ad.thewalter.lan@ [18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946836: Server has referral realm; starting with ldap/dc.ad.thewalter.lan@AD.THEWALTER.LAN [18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
This is because the default principal in the credential cache does not match any of the credentials:
[root@stef-desktop data]# klist FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN
Valid starting Expires Service principal 04/11/12 12:01:01 04/11/12 22:00:48 krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12 12:01:01
Note the difference in capitalization.
This bug is present in SSSD git master.
Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code.
Cheers,
Stef
On Fri, 2012-05-04 at 18:31 +0200, Stef Walter wrote:
If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one.
Failure to do this results in errors when LDAP tries to use the credential cache:
...
This is because the default principal in the credential cache does not match any of the credentials:
[root@stef-desktop data]# klist FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN
Valid starting Expires Service principal 04/11/12 12:01:01 04/11/12 22:00:48 krbtgt/AD.THEWALTER.LAN@AD.THEWALTER.LAN for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12 12:01:01
Note the difference in capitalization.
This bug is present in SSSD git master.
Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code.
Thanks for the patch! Just a few things:
Please add a comment stating the reason to use my_creds.client instead of kprinc so future developers don't get confused.
Also, this change needs to be made to src/providers/krb5/krb5_child.c as well. From discussion on IRC, "create_ccache_file() could lose the krb5_principal argument and always use the one in the creds".
On 05/04/2012 07:01 PM, Stephen Gallagher wrote:
Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code.
Thanks for the patch! Just a few things:
Please add a comment stating the reason to use my_creds.client instead of kprinc so future developers don't get confused.
Done.
Also, this change needs to be made to src/providers/krb5/krb5_child.c as well. From discussion on IRC, "create_ccache_file() could lose the krb5_principal argument and always use the one in the creds".
Updated krb5_child.c. Didn't change signature of create_ccache_file() as its called with NULL creds sometimes.
New patch attached,
Cheers,
Stef
On Fri, 2012-05-04 at 21:41 +0200, Stef Walter wrote:
On 05/04/2012 07:01 PM, Stephen Gallagher wrote:
Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code.
Thanks for the patch! Just a few things:
Please add a comment stating the reason to use my_creds.client instead of kprinc so future developers don't get confused.
Done.
Also, this change needs to be made to src/providers/krb5/krb5_child.c as well. From discussion on IRC, "create_ccache_file() could lose the krb5_principal argument and always use the one in the creds".
Updated krb5_child.c. Didn't change signature of create_ccache_file() as its called with NULL creds sometimes.
New patch attached,
Ack and pushed to master.
sssd-devel@lists.fedorahosted.org
-
Stef Walter -
Stephen Gallagher