11:31 a.m.
If krb5_canonicalize is not present or is True in sssd.conf, then sssd
asks krb5_get_init_creds_keytab() to canonicalize principals. This can
change the client principal. When writing out the credential cache, we
should use this changed principal, and not the original one.
Failure to do this results in errors when LDAP tries to use the
credential cache:
[19310] 1334138369.931274: Initializing
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
default principal STEF-DESKTOP$(a)AD.THEWALTER.LAN
[19310] 1334138369.945192: Removing stef-desktop$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[19310] 1334138369.945221: Storing stef-desktop$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN in
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired
on [1334174369]
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: GSSAPI, user: (null)
[18211] 1334138369.946687: ccselect can't find appropriate cache for
server principal ldap/dc.ad.thewalter.lan@
[18211] 1334138369.946754: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
[18211] 1334138369.946769: Getting credentials
STEF-DESKTOP$(a)AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[18211] 1334138369.946802: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@ from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
[18211] 1334138369.946830: Retrying STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan(a)AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946836: Server has referral realm; starting with
ldap/dc.ad.thewalter.lan(a)AD.THEWALTER.LAN
[18211] 1334138369.946863: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
[18211] 1334138369.946891: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
This is because the default principal in the credential cache does not
match any of the credentials:
[root@stef-desktop data]# klist
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$(a)AD.THEWALTER.LAN
Valid starting Expires Service principal
04/11/12 12:01:01 04/11/12 22:00:48
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN
for client stef-desktop$(a)AD.THEWALTER.LAN, renew until 04/12/12 12:01:01
Note the difference in capitalization.
This bug is present in SSSD git master.
Will attach simple patch which fixes the problem. An alternate patch
would be to use krb5_get_init_creds_opt_set_out_ccache() instead of
writing the credential cache in sssd code.
Cheers,
Stef
12:01 p.m.
On Fri, 2012-05-04 at 18:31 +0200, Stef Walter wrote:
If krb5_canonicalize is not present or is True in sssd.conf, then
sssd
asks krb5_get_init_creds_keytab() to canonicalize principals. This can
change the client principal. When writing out the credential cache, we
should use this changed principal, and not the original one.
Failure to do this results in errors when LDAP tries to use the
credential cache:
...
This is because the default principal in the credential cache does
not
match any of the credentials:
[root@stef-desktop data]# klist
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$(a)AD.THEWALTER.LAN
Valid starting Expires Service principal
04/11/12 12:01:01 04/11/12 22:00:48
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN
for client stef-desktop$(a)AD.THEWALTER.LAN, renew until 04/12/12 12:01:01
Note the difference in capitalization.
This bug is present in SSSD git master.
Will attach simple patch which fixes the problem. An alternate patch
would be to use krb5_get_init_creds_opt_set_out_ccache() instead of
writing the credential cache in sssd code.
Thanks for the patch! Just a few things:
Please add a comment stating the reason to use my_creds.client instead
of kprinc so future developers don't get confused.
Also, this change needs to be made to src/providers/krb5/krb5_child.c as
well. From discussion on IRC, "create_ccache_file() could lose the
krb5_principal argument and always use the one in the creds".
2:41 p.m.
On 05/04/2012 07:01 PM, Stephen Gallagher wrote:
> Will attach simple patch which fixes the problem. An alternate
patch
> would be to use krb5_get_init_creds_opt_set_out_ccache() instead of
> writing the credential cache in sssd code.
Thanks for the patch! Just a few things:
Please add a comment stating the reason to use my_creds.client instead
of kprinc so future developers don't get confused.
Done.
Also, this change needs to be made to src/providers/krb5/krb5_child.c
as
well. From discussion on IRC, "create_ccache_file() could lose the
krb5_principal argument and always use the one in the creds".
Updated krb5_child.c. Didn't change signature of create_ccache_file() as
its called with NULL creds sometimes.
New patch attached,
Cheers,
Stef
2:47 p.m.
On Fri, 2012-05-04 at 21:41 +0200, Stef Walter wrote:
On 05/04/2012 07:01 PM, Stephen Gallagher wrote:
>> Will attach simple patch which fixes the problem. An alternate patch
>> would be to use krb5_get_init_creds_opt_set_out_ccache() instead of
>> writing the credential cache in sssd code.
>
> Thanks for the patch! Just a few things:
>
> Please add a comment stating the reason to use my_creds.client instead
> of kprinc so future developers don't get confused.
Done.
> Also, this change needs to be made to src/providers/krb5/krb5_child.c as
> well. From discussion on IRC, "create_ccache_file() could lose the
> krb5_principal argument and always use the one in the creds".
Updated krb5_child.c. Didn't change signature of create_ccache_file() as
its called with NULL creds sometimes.
New patch attached,
Ack and pushed to master.
4375
days inactive
4375
days old
sssd-devel@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Stef Walter -
Stephen Gallagher