Re: amanda+krb5: Wrong permissions on ccache file.
On Mon, Aug 30, 2010 at 4:24 PM, Dustin J. Mitchell wrote: > Gotcha. I'll get the modified version of your patch committed, then. I meant I'll get it reviewed. Can you review this by trying it out? http://github.com/djmitche/amanda/commit/krb5-fix.patch Dustin -- Open Source Storage Engineer http://www.zmanda.com
Re: amanda+krb5: Wrong permissions on ccache file.
On Mon, Aug 30, 2010 at 4:13 PM, Tim Nowaczyk wrote: > Because I'm not a C programmer and I didn't know you could do that. I > thought my choices were between xstr and strcat/strncat. :) Gotcha. I'll get the modified version of your patch committed, then. Dustin -- Open Source Storage Engineer http://www.zmanda.com
Re: amanda+krb5: Wrong permissions on ccache file.
I'm all for changing error messages - searching the source for error messages is an underutilized debugging technique! Dustin Index: common-src/krb5-security.c === --- common-src/krb5-security.c (revision 3343) +++ common-src/krb5-security.c (working copy) @@ -42,6 +42,9 @@ #include "stream.h" #include "sockaddr-util.h" +#define xstr(s) str(s) +#define str(s) #s + #ifdef KRB5_HEIMDAL_INCLUDES #include "com_err.h" #endif @@ -711,7 +714,7 @@ beenhere = 1; #ifndef BROKEN_MEMORY_CCACHE -putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache")); +putenv(stralloc(xstr(KRB5_ENV_CCNAME=MEMORY:amanda_ccache)); #else /* * MEMORY ccaches seem buggy and cause a lot of internal heap I don't see the point of doing this - why not just use C's normal string-concatenation: -putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache")); +putenv(stralloc(KRB5_ENV_CCNAME "=MEMORY:amanda_ccache")); @@ -726,7 +729,7 @@ char *ccache; ccache = malloc(128); g_snprintf(ccache, SIZEOF(ccache), -"KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld", +xstr(KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld), (long)geteuid(), (long)getpid()); putenv(ccache); } Same thing here. Dustin -- Open Source Storage Engineer http://www.zmanda.com
Re: amanda+krb5: Wrong permissions on ccache file.
On Aug 30, 2010, at 4:52 PM, Dustin J. Mitchell wrote: > > #ifndef BROKEN_MEMORY_CCACHE > -putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache")); > +putenv(stralloc(xstr(KRB5_ENV_CCNAME=MEMORY:amanda_ccache)); > #else > /* > * MEMORY ccaches seem buggy and cause a lot of internal heap > > I don't see the point of doing this - why not just use C's normal > string-concatenation: > > -putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache")); > +putenv(stralloc(KRB5_ENV_CCNAME "=MEMORY:amanda_ccache")); > Because I'm not a C programmer and I didn't know you could do that. I thought my choices were between xstr and strcat/strncat. :) Thanks, Tim Nowaczyk -- Timothy Nowaczyk Network Systems Engineer University of Virginia - ITC ta...@virginia.edu
Re: amanda+krb5: Wrong permissions on ccache file.
On Aug 30, 2010, at 11:37 AM, Tim Nowaczyk wrote: > > On Aug 29, 2010, at 10:54 AM, Dustin J. Mitchell wrote: > >> On Wed, Aug 25, 2010 at 5:20 PM, Tim Nowaczyk wrote: >>> After another day of troubleshooting I think I found the problem. Running >>> 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows >>> 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be >>> 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define >>> KRB5_ENV_CCNAME "KRB5CCNAME"' in 'krb5-security.c', however. Does the >>> preprocessor still ignore substituting inside string literals? That would >>> explain why the substitution isn't happening in krb5_init(). >> >> Yes, it does. Do you want to fix this up and submit a patch? >> > Here ya go. I noticed that there were two identical error messages while > debugging my original problem. This caused me to not know which krb5 > function was failing. In addition to the KRB5CCNAME problem, I have also > changed the text of one of error messages to differentiate them. > Oops. Forgot to un-quote the environment variable name Take 2 amanda-krb5.patch Description: Binary data
Re: amanda+krb5: Wrong permissions on ccache file.
On Aug 29, 2010, at 10:54 AM, Dustin J. Mitchell wrote: > On Wed, Aug 25, 2010 at 5:20 PM, Tim Nowaczyk wrote: >> After another day of troubleshooting I think I found the problem. Running >> 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows >> 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be >> 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define >> KRB5_ENV_CCNAME "KRB5CCNAME"' in 'krb5-security.c', however. Does the >> preprocessor still ignore substituting inside string literals? That would >> explain why the substitution isn't happening in krb5_init(). > > Yes, it does. Do you want to fix this up and submit a patch? > Here ya go. I noticed that there were two identical error messages while debugging my original problem. This caused me to not know which krb5 function was failing. In addition to the KRB5CCNAME problem, I have also changed the text of one of error messages to differentiate them. amanda-krb5.patch Description: Binary data
Re: amanda+krb5: Wrong permissions on ccache file.
On Wed, Aug 25, 2010 at 5:20 PM, Tim Nowaczyk wrote: > After another day of troubleshooting I think I found the problem. Running > 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows > 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be > 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define KRB5_ENV_CCNAME > "KRB5CCNAME"' in 'krb5-security.c', however. Does the preprocessor still > ignore substituting inside string literals? That would explain why the > substitution isn't happening in krb5_init(). Yes, it does. Do you want to fix this up and submit a patch? Dustin -- Open Source Storage Engineer http://www.zmanda.com
amanda+krb5: Wrong permissions on ccache file.
Greetings all, I sent the following message to amanda-users before my subscription was accepted. I don't see it in the archives so I'm resending although I have some updates at the end. Original message-- After a long day of troubleshooting the amcheck message "WARNING: : selfcheck request failed: : could not get TGT: error initializing ccache: Internal credentials cache error", I discovered (by "strace"ing amcheck) that the kerberos credential cache was being written to /tmp/krb5cc_0, but this file already existed and was readable and writeable only by root:root. I deleted root's kerberos ccache and reran amcheck and the program still wanted to use tmp/krb5cc_0, but it set the file's ownership to backup:backup. amcheck then gave me a different error message: "WARNING: : selfcheck request failed: EOF in gss loop". Is this a problem with my kerberos config, amanda, or with the MIT kerberos libraries? Could the setuid nature of amcheck be confusing the krb5_cc_* code in libkrb5? Details: Ubuntu 8.10 Amanda 3.1.0 libkrb53 1.6.dfsg.3~beta1-2ubuntu1.5 running "kinit -kt /etc/amanda/krb5.keytab amanda/backupser...@realm" as the backup user works. Running "kvno amanda/backupser...@realm" on the client works, so it seems that my kerberos setup is all good. I realize I could figure out if this is a problem with libkrb5 and not amanda specificly by learning my way around the krb5 library and writing a simple setuid kerberos program, but I thought someone on amanda-users might have seen this before and could lend some pointers. Updates-- After another day of troubleshooting I think I found the problem. Running 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define KRB5_ENV_CCNAME "KRB5CCNAME"' in 'krb5-security.c', however. Does the preprocessor still ignore substituting inside string literals? That would explain why the substitution isn't happening in krb5_init(). I am still having the 'EOF in gss loop' error however. Many thanks, Tim Nowaczyk -- Timothy Nowaczyk Network Systems Engineer University of Virginia - ITC ta...@virginia.edu