Re: amanda+krb5: Wrong permissions on ccache file.
On Mon, Aug 30, 2010 at 4:24 PM, Dustin J. Mitchell wrote: > Gotcha. I'll get the modified version of your patch committed, then. I meant I'll get it reviewed. Can you review this by trying it out? http://github.com/djmitche/amanda/commit/krb5-fix.patch Dustin -- Open Source Storage Engineer http://www.zmanda.com
Re: amanda+krb5: Wrong permissions on ccache file.
On Mon, Aug 30, 2010 at 4:13 PM, Tim Nowaczyk wrote: > Because I'm not a C programmer and I didn't know you could do that. I > thought my choices were between xstr and strcat/strncat. :) Gotcha. I'll get the modified version of your patch committed, then. Dustin -- Open Source Storage Engineer http://www.zmanda.com
Re: amanda+krb5: Wrong permissions on ccache file.
I'm all for changing error messages - searching the source for error
messages is an underutilized debugging technique!
Dustin
Index: common-src/krb5-security.c
===
--- common-src/krb5-security.c (revision 3343)
+++ common-src/krb5-security.c (working copy)
@@ -42,6 +42,9 @@
#include "stream.h"
#include "sockaddr-util.h"
+#define xstr(s) str(s)
+#define str(s) #s
+
#ifdef KRB5_HEIMDAL_INCLUDES
#include "com_err.h"
#endif
@@ -711,7 +714,7 @@
beenhere = 1;
#ifndef BROKEN_MEMORY_CCACHE
-putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache"));
+putenv(stralloc(xstr(KRB5_ENV_CCNAME=MEMORY:amanda_ccache));
#else
/*
* MEMORY ccaches seem buggy and cause a lot of internal heap
I don't see the point of doing this - why not just use C's normal
string-concatenation:
-putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache"));
+putenv(stralloc(KRB5_ENV_CCNAME "=MEMORY:amanda_ccache"));
@@ -726,7 +729,7 @@
char *ccache;
ccache = malloc(128);
g_snprintf(ccache, SIZEOF(ccache),
-"KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld",
+xstr(KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld),
(long)geteuid(), (long)getpid());
putenv(ccache);
}
Same thing here.
Dustin
--
Open Source Storage Engineer
http://www.zmanda.com
Re: amanda+krb5: Wrong permissions on ccache file.
On Aug 30, 2010, at 4:52 PM, Dustin J. Mitchell wrote:
>
> #ifndef BROKEN_MEMORY_CCACHE
> -putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache"));
> +putenv(stralloc(xstr(KRB5_ENV_CCNAME=MEMORY:amanda_ccache));
> #else
> /*
> * MEMORY ccaches seem buggy and cause a lot of internal heap
>
> I don't see the point of doing this - why not just use C's normal
> string-concatenation:
>
> -putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache"));
> +putenv(stralloc(KRB5_ENV_CCNAME "=MEMORY:amanda_ccache"));
>
Because I'm not a C programmer and I didn't know you could do that. I thought
my choices were between xstr and strcat/strncat. :)
Thanks,
Tim Nowaczyk
--
Timothy Nowaczyk
Network Systems Engineer
University of Virginia - ITC
ta...@virginia.edu
Re: amanda+krb5: Wrong permissions on ccache file.
On Aug 30, 2010, at 11:37 AM, Tim Nowaczyk wrote: > > On Aug 29, 2010, at 10:54 AM, Dustin J. Mitchell wrote: > >> On Wed, Aug 25, 2010 at 5:20 PM, Tim Nowaczyk wrote: >>> After another day of troubleshooting I think I found the problem. Running >>> 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows >>> 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be >>> 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define >>> KRB5_ENV_CCNAME "KRB5CCNAME"' in 'krb5-security.c', however. Does the >>> preprocessor still ignore substituting inside string literals? That would >>> explain why the substitution isn't happening in krb5_init(). >> >> Yes, it does. Do you want to fix this up and submit a patch? >> > Here ya go. I noticed that there were two identical error messages while > debugging my original problem. This caused me to not know which krb5 > function was failing. In addition to the KRB5CCNAME problem, I have also > changed the text of one of error messages to differentiate them. > Oops. Forgot to un-quote the environment variable name Take 2 amanda-krb5.patch Description: Binary data
Re: amanda+krb5: Wrong permissions on ccache file.
On Aug 29, 2010, at 10:54 AM, Dustin J. Mitchell wrote: > On Wed, Aug 25, 2010 at 5:20 PM, Tim Nowaczyk wrote: >> After another day of troubleshooting I think I found the problem. Running >> 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows >> 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be >> 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define >> KRB5_ENV_CCNAME "KRB5CCNAME"' in 'krb5-security.c', however. Does the >> preprocessor still ignore substituting inside string literals? That would >> explain why the substitution isn't happening in krb5_init(). > > Yes, it does. Do you want to fix this up and submit a patch? > Here ya go. I noticed that there were two identical error messages while debugging my original problem. This caused me to not know which krb5 function was failing. In addition to the KRB5CCNAME problem, I have also changed the text of one of error messages to differentiate them. amanda-krb5.patch Description: Binary data
Re: amanda+krb5: Wrong permissions on ccache file.
On Wed, Aug 25, 2010 at 5:20 PM, Tim Nowaczyk wrote: > After another day of troubleshooting I think I found the problem. Running > 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows > 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be > 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define KRB5_ENV_CCNAME > "KRB5CCNAME"' in 'krb5-security.c', however. Does the preprocessor still > ignore substituting inside string literals? That would explain why the > substitution isn't happening in krb5_init(). Yes, it does. Do you want to fix this up and submit a patch? Dustin -- Open Source Storage Engineer http://www.zmanda.com
amanda+krb5: Wrong permissions on ccache file.
Greetings all, I sent the following message to amanda-users before my subscription was accepted. I don't see it in the archives so I'm resending although I have some updates at the end. Original message-- After a long day of troubleshooting the amcheck message "WARNING: : selfcheck request failed: : could not get TGT: error initializing ccache: Internal credentials cache error", I discovered (by "strace"ing amcheck) that the kerberos credential cache was being written to /tmp/krb5cc_0, but this file already existed and was readable and writeable only by root:root. I deleted root's kerberos ccache and reran amcheck and the program still wanted to use tmp/krb5cc_0, but it set the file's ownership to backup:backup. amcheck then gave me a different error message: "WARNING: : selfcheck request failed: EOF in gss loop". Is this a problem with my kerberos config, amanda, or with the MIT kerberos libraries? Could the setuid nature of amcheck be confusing the krb5_cc_* code in libkrb5? Details: Ubuntu 8.10 Amanda 3.1.0 libkrb53 1.6.dfsg.3~beta1-2ubuntu1.5 running "kinit -kt /etc/amanda/krb5.keytab amanda/backupser...@realm" as the backup user works. Running "kvno amanda/backupser...@realm" on the client works, so it seems that my kerberos setup is all good. I realize I could figure out if this is a problem with libkrb5 and not amanda specificly by learning my way around the krb5 library and writing a simple setuid kerberos program, but I thought someone on amanda-users might have seen this before and could lend some pointers. Updates-- After another day of troubleshooting I think I found the problem. Running 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define KRB5_ENV_CCNAME "KRB5CCNAME"' in 'krb5-security.c', however. Does the preprocessor still ignore substituting inside string literals? That would explain why the substitution isn't happening in krb5_init(). I am still having the 'EOF in gss loop' error however. Many thanks, Tim Nowaczyk -- Timothy Nowaczyk Network Systems Engineer University of Virginia - ITC ta...@virginia.edu
