URL:
https://github.com/SSSD/sssd/pull/5766
Title: #5766: Sources cleanup - part 3.
alexey-tikhonov commented:
"""
After upgrade from json-ed ccache I got:
```
[pbrezina /dev/shm/sssd]$ klist
klist: Internal credentials cache error
```
This happens one time:
```
(2021-09-25 11:40:48): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all ccaches
(2021-09-25 11:40:48): [kcm] [sss_sec_list] (0x0400): Listing keys at
[persistent/0/ccache/]
(2021-09-25 11:40:48): [kcm] [local_dn_to_path] (0x2000): Secrets path for
[cn=77aa5f1e-dd99-4479-9d5a-a1641f346505-0,cn=ccache,cn=0,cn=persistent,cn=kcm] is
[77aa5f1e-dd99-4479-9d5a-a1641f346505-0]
(2021-09-25 11:40:48): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets
(2021-09-25 11:40:48): [kcm] [ccdb_secdb_list_send] (0x2000): Found 1 ccaches
...
(2021-09-25 11:40:48): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_PRINCIPAL
(2021-09-25 11:40:48): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from
[persistent/0/ccache/77aa5f1e-dd99-4479-9d5a-a1641f346505-0]
(2021-09-25 11:40:48): [kcm] [secdb_get_cc] (0x0040): Cannot convert data to ccache [12]:
Cannot allocate memory, deleting this entry
(2021-09-25 11:40:48): [kcm] [sss_sec_delete] (0x0400): Removing a secret from
[persistent/0/ccache/77aa5f1e-dd99-4479-9d5a-a1641f346505-0]
(2021-09-25 11:40:48): [kcm] [kcm_reply_error] (0x0040): KCM operation returns failure
[2]: No such file or directory
(2021-09-25 11:40:48): [kcm] [kcm_failbuf_construct] (0x1000): Sent reply with error
-1765328188
```
-- `sss_sec_list()` finds ccache in old format but later `sss_sec_get()` fails for this
key and deletes this entry, so second `klist` doesn't fail.
Options are:
- try to convert ccache in `sss_sec_list()` and delete malformed entries there:
unconditional perf overhead to remove outdated entries once (if any)
- patch `sss2krb5_error()` to translate `ENOENT` to `KRB5_CC_NOTFOUND`. Result will be
different output:
```
# klist
klist: Matching credential not found
```
-- looks a little bit better, but I'm not sure this conversion is a right thing in
other possible scenarios
- leave it as is. IIRC, ccaches in old format aren't created since F32 and I think
we aren't going to rebase Fedora older than 35 on new 2.6 release (is this correct?)
So I think chances to meet ccache in old format on F35+ are low and perhaps we can
tolerate this one-time error output of klist in this case...
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5766#issuecomment-927148719