Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Wed, 2009-11-11 at 19:03 -0500, Simo Sorce wrote: I have tested this yesterday (with git master), if you set FILE:% d/krb5cc_%U sssd will happily refresh the crdentials at screen unlock. Ahhh. ~light bulb goes on~ I am finally coming around to what you are saying. Wow. It's even more broken than I had feared. Certainly that the ccache filename gets regenerated on each authentication is very not so nice. Even if each session had a separate ccache courtesy of the _XX, it's imperative that each login session (including klist, kinit, gnome-screensaver via sssd, etc.) all use the same ccache file, all of the time. However, that said, I have tried removing the _XX uniqueness from the ccache filename but that does not alleviate my issue here. I now have: krb5_ccachedir = /tmp ; krb5_ccname_template = FILE:%d/krb5cc_%U_XX krb5_ccname_template = FILE:%d/krb5cc_%U And yet I am still getting ccache files with the _XX postfix on them. I have even rebooted completely to ensure that there is nothing hanging around in memory causing this. Because sssd is generating a new one each time for now (yes it's a bug). Yeah, just coming around to that concept. Sorry for being so dense. Well I think people were worried that using a predictable name (krb5cc_% U) could be used by malicious user to mount symlink race attacks. We have just copied what is already an available scheme for the krb5 libraries, although we might switch to a default of FILE:%d/krb5cc_%U for the 1.0 release to avoid issues. Hrm. Yeah. On my non-sssd (pam_krb5) machine here, it's also a krb5cc_ %U_XX based filename, but everything here in an entire gnome-session is using the same file, over and over again. But I also note that on my non-sssd machines, every process has a KRB5CCNAME environment variable, very likely simply through inheritance from the process that started the entire login session. sssd logins don't seem to be setting this variable for the children to inherit which is likely the root of all of this issue. Even a simple ssh-sssd-bash does not populate the environment with a KRB5CCNAME variable. b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Sun, 2009-11-15 at 08:22 -0500, Brian J. Murrell wrote: On Wed, 2009-11-11 at 19:03 -0500, Simo Sorce wrote: I have tested this yesterday (with git master), if you set FILE:% d/krb5cc_%U sssd will happily refresh the crdentials at screen unlock. Ahhh. ~light bulb goes on~ I am finally coming around to what you are saying. Wow. It's even more broken than I had feared. Certainly that the ccache filename gets regenerated on each authentication is very not so nice. Even if each session had a separate ccache courtesy of the _XX, it's imperative that each login session (including klist, kinit, gnome-screensaver via sssd, etc.) all use the same ccache file, all of the time. However, that said, I have tried removing the _XX uniqueness from the ccache filename but that does not alleviate my issue here. I now have: krb5_ccachedir = /tmp ; krb5_ccname_template = FILE:%d/krb5cc_%U_XX krb5_ccname_template = FILE:%d/krb5cc_%U And yet I am still getting ccache files with the _XX postfix on them. I have even rebooted completely to ensure that there is nothing hanging around in memory causing this. Brian, I told you 4 messages ago on this same very thread that the doc is wrong and the option is called krb5_ccname_tmpl, in the version you are using. It has been corrected and now it is called krb5_ccname_template only in master. Because sssd is generating a new one each time for now (yes it's a bug). Yeah, just coming around to that concept. Sorry for being so dense. Well I think people were worried that using a predictable name (krb5cc_% U) could be used by malicious user to mount symlink race attacks. We have just copied what is already an available scheme for the krb5 libraries, although we might switch to a default of FILE:%d/krb5cc_%U for the 1.0 release to avoid issues. Hrm. Yeah. On my non-sssd (pam_krb5) machine here, it's also a krb5cc_ %U_XX based filename, but everything here in an entire gnome-session is using the same file, over and over again. Which is the right thing to do. But I also note that on my non-sssd machines, every process has a KRB5CCNAME environment variable, very likely simply through inheritance from the process that started the entire login session. Yes that's how it works. sssd logins don't seem to be setting this variable for the children to inherit which is likely the root of all of this issue. Even a simple ssh-sssd-bash does not populate the environment with a KRB5CCNAME variable. It should be set by pam_sss, if it is not, please open a bug, and assign it to Sumit (sbose) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Tue, Nov 10, 2009 at 11:36:45PM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 21:19 +0100, Sumit Bose wrote: Does this mean you are still seeing [Credentials cache I/O operation failed XXX] in krb5_child.log? No. I am seeing nothing new at all in the krb5_child.log when authentications happen. this indicates that everything is ok, please send krb5_child.log, if possible with debug level 10. Even with debug level 10, there is nothing new in the krb5_child.log: $ ls -ltar /var/log/sssd/ total 420 -rw--- 1 root root438 2009-11-09 09:23 krb5_child.log drwxr-xr-x 15 root root 4096 2009-11-10 07:41 .. drwxr-xr-x 2 root root 4096 2009-11-10 23:32 . -rw--- 1 root root 152408 2009-11-10 23:32 sssd_pam.log -rw--- 1 root root 238167 2009-11-10 23:32 sssd_KRB.log I have debug_level = 10 in my [domain/KRB] as well as the [pam] section. Also, I asked previously why I would want per-login unique ccache files with: krb5_ccname_template = FILE:%d/krb5cc_%U_XX but nobody answered. Do I really want this or is a single ccache file per user (i.e. drop the _XX in the template) not more ideal? b. ah, sorry, I misinterpreted your original post. I thought a ccache file wasn't created at all when using gnome-screensaver. You are right, if you use 'krb5_ccname_template = FILE:%d/krb5cc_%U_XX' with the current version every authentication will create a new ccache file. If you want to renew the TGT with every authentication you have to use a per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. We are currently discussing how to handle renewals in a more general way so that it would be possible to renew FILE:%d/krb5cc_%U_XX-style files too. HTH. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Wed, 2009-11-11 at 09:35 +0100, Sumit Bose wrote: ah, sorry, I misinterpreted your original post. I thought a ccache file wasn't created at all when using gnome-screensaver. No, you didn't mis-interpret I don't think. Here's what happened: 1. Logged into gnome, got a ccache file 2. Noticed that unlocking the screen with gnome-screensaver and notice that tickets are not refreshed 1. in fact I noticed tickets were not being refreshed because eventually, all of my kerberos authorized services (i.e. imap) were failing with expired tickets despite having unlocked my screen many times prior 3. Removed all ccache files 4. Locked screen with gnome-screensaver 5. Successfully unlocked screen with password 6. Observed that the expected ccache file was not re-created by the gnome-screensaver unlocking process Removing the ccache file(s) was just an effort to further prove that sssd via gnome-screensaver is not renewing tickets. If it were, wouldn't it have created a new ccache file, just like: $ kinit $ rm $ccache_file $ kinit would? You are right, if you use 'krb5_ccname_template = FILE:%d/krb5cc_%U_XX' with the current version every authentication will create a new ccache file. No. Every unique login will create a new ccache file. A gnome desktop user logged in gets a single ccache ticket which every application in the session will use. But that also means that a gnome-screensaver authentication will (re-)use that same ccache file. If you want to renew the TGT with every authentication you have to use a per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. I don't think so. I think even a per-login-session ccache file that will be created by a gnome session should work if sssd is correctly renewing the TGT, because the same ccache file that was created by gdm should be updated by gnome-screensaver. We are currently discussing how to handle renewals in a more general way so that it would be possible to renew FILE:%d/krb5cc_%U_XX-style files too. I really don't see why these FILE:%d/krb5cc_%U_XX-style files would not renew in the context of a gnome session. On the other hand, I don't really see the purpose of FILE:%d/krb5cc_% U_XX-style files where every login session is a new ccache. Can anyone share a use-case where this is needed? b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Wed, 2009-11-11 at 17:27 -0500, Brian J. Murrell wrote: If you want to renew the TGT with every authentication you have to use a per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. I don't think so. I think even a per-login-session ccache file that will be created by a gnome session should work if sssd is correctly renewing the TGT, because the same ccache file that was created by gdm should be updated by gnome-screensaver. I have tested this yesterday (with git master), if you set FILE:% d/krb5cc_%U sssd will happily refresh the crdentials at screen unlock. Unfortunately the code and the docs disagree on the parm name but we already have a patch on the list to fix this. We are currently discussing how to handle renewals in a more general way so that it would be possible to renew FILE:%d/krb5cc_%U_XX-style files too. I really don't see why these FILE:%d/krb5cc_%U_XX-style files would not renew in the context of a gnome session. Because sssd is generating a new one each time for now (yes it's a bug). On the other hand, I don't really see the purpose of FILE:%d/krb5cc_% U_XX-style files where every login session is a new ccache. Can anyone share a use-case where this is needed? Well I think people were worried that using a predictable name (krb5cc_% U) could be used by malicious user to mount symlink race attacks. We have just copied what is already an available scheme for the krb5 libraries, although we might switch to a default of FILE:%d/krb5cc_%U for the 1.0 release to avoid issues. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/09/2009 07:52 AM, Brian J. Murrell wrote: On Mon, 2009-11-09 at 07:33 -0500, Stephen Gallagher wrote: Brian, can you open a bug at https://fedorahosted.org I would but I can't make out the stupid captcha and there is no button to generate a new one! I really hate captchas you know. They are getting to the point where nobody can read them. If you create an account at https://admin.fedoraproject.org/accounts you will not be required to validate the captcha. Then rerun your test and include the /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_yourdomain.log files as an attachment. Here is what the log says: (1257770423) [sssd[be[KRB]]] [server_setup] (3): CONFDB: /var/lib/sss/db/config.ldb (1257770423) [sssd[be[KRB]]] [sysdb_domain_init_internal] (5): DB File for KRB: /var/lib/sss/db/cache_KRB.ldb (1257770423) [sssd[be[KRB]]] [ldb] (3): asq: Unable to register control with rootdse! (1257770423) [sssd[be[KRB]]] [sbus_init_connection] (5): Adding connection 8EDBA18 (1257770423) [sssd[be[KRB]]] [monitor_common_send_id] (4): Sending ID: (%BE_KRB,1) (1257770423) [sssd[be[KRB]]] [sbus_new_server] (3): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_KRB,guid=5a385529a0c9fc922ce4faa04af80db7 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_uri has value ldap://ldap (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_search_base has value dc=example,dc=com (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_default_bind_dn has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_default_authtok_type has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_default_authtok has no binary value. (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_search_timeout has value 60 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_network_timeout has value 6 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_opt_timeout has value 6 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_tls_reqcert has value hard (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_user_search_base has value ou=People,dc=interlinx,dc=bc,dc=ca (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_user_search_scope has value sub (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_user_search_filter has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_group_search_base has value ou=Group,dc=interlinx,dc=bc,dc=ca (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_group_search_scope has value sub (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_group_search_filter has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_schema has value rfc2307 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_offline_timeout has value 60 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_force_upper_case_realm is FALSE (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_enumeration_refresh_timeout has value 300 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option entry_cache_timoeut has value 1800 (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_tls_cacert has value /etc/pki/tls/certs/ca-bundle.crt (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_tls_cacertdir has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_id_use_start_tls is FALSE (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_sasl_mech has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_sasl_authid has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_krb5_keytab has value (null) (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option ldap_krb5_init_creds is TRUE (1257770423) [sssd[be[KRB]]] [dp_get_options] (6): Option krb5_realm has value ILINX (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_entry_usn has value (null) (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_rootdse_last_usn has value (null) (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_user_object_class has value posixAccount (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_user_name has value uid (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_user_pwd has value userPassword (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_user_uid_number has value uidNumber (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_user_gid_number has value gidNumber (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_user_gecos has value gecos (1257770423) [sssd[be[KRB]]] [sdap_get_map] (5): Option ldap_user_home_directory has value homeDirectory
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, 2009-11-09 at 07:58 -0500, Stephen Gallagher wrote: If you create an account at https://admin.fedoraproject.org/accounts you will not be required to validate the captcha. That's what site (including the https) I am at. Anyway, I seem to have found one I could actually read. Brian, can you also attach the [domain/KRB5] section so we can see what your configuration looks like? (feel free to sanitize passwords if you are using them) Sure. [domain/KRB] auth_provider = krb5 cache_credentials = true enumerate = true id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap ldap_user_search_base = ou=People,dc=interlinx,dc=bc,dc=ca ldap_group_search_base = ou=Group,dc=interlinx,dc=bc,dc=ca tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt krb5_kdcip = 10.75.22.3 krb5_realm = ILINX krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XX krb5_auth_timeout = 15 debug_timestamps = true debug_to_files = true debug_level = 6 b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, Nov 09, 2009 at 07:52:43AM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 07:33 -0500, Stephen Gallagher wrote: Brian, can you open a bug at https://fedorahosted.org I would but I can't make out the stupid captcha and there is no button to generate a new one! I really hate captchas you know. They are getting to the point where nobody can read them. Then rerun your test and include the /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_yourdomain.log files as an attachment. Here is what the log says: Can you send krb5_child.log, too? Thanks. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, Nov 09, 2009 at 08:48:19AM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 14:34 +0100, Sumit Bose wrote: Can you send krb5_child.log, too? Nothing too exciting: (1257770543) [[sssd[krb5_child[23777 [get_and_save_tgt] (1): 241: [-1765328191][Credentials cache I/O operation failed XXX] (1257770543) [[sssd[krb5_child[23777 [tgt_req_child] (1): 411: [-1765328191][Credentials cache I/O operation failed XXX] b. This error indicates a short write. Can you check if a ccache file is create at all and if yes check the content with klist? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, 2009-11-09 at 07:58 -0500, Stephen Gallagher wrote: Hmm, this looks incorrect here. Why are we getting child status[0] and then no child with pid [23777] Sumit, do you have any ideas here? I think that we have concurrent functions using waitpid() for children. one in sig_cld and then one in krb5_child_sig_handler. It is probably a good idea to address that with an API to register callback functions from a single function that runs witpid() Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, 2009-11-09 at 15:13 +0100, Sumit Bose wrote: This error indicates a short write. Ahhh. Now that is meaningful to me. :-) Can you check if a ccache file is create at all and if yes check the content with klist? I didn't realize it was the ccache it was complaining about and I thought it was sssd's internal caching (i.e. for disconnected use) that it was complaining about. It turns out that / (where /tmp lives) is full -- filled up with a stupid $@# flash file, and PDFs even. Why is this crap being created in /? This is all ~/tmp/ fodder. Hrm. Now that I think of it, I wonder if I really want /var/tmp for my krb5_ccachedir. Anyway, creating some space in /tmp resolved the caching failure. I also notice that I have: krb5_ccname_template = FILE:%d/krb5cc_%U_XX Which I got from the example template. Do I really want a unique ccache for each logged instance of a single user? So, back to testing gnome-screensaver and ccache refreshing... In my efforts to clean up /tmp, I simply removed all of the krb5cc files for the desktop user, so no ccache files at all. I then unlocked the screensaver and there was no new ccache file created. A klist from that desktop user yields: klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1001_mk7UxQ) Surely, if gnome-screensaver's calling of pam_sssd were refreshing the ccache, in this case it would have re-created it, yes? b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, 2009-11-09 at 15:47 +0100, Sumit Bose wrote: yes, can you send the log files for the gnome-screensaver case ? Sure. Nothing new in the krb5_child.log, however, sssd_pam.log: (1257778320) [sssd[pam]] [accept_fd_handler] (4): Client connected! (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Received client version [3]. (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Offered version [3]. (1257778320) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate (1257778320) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778320) [sssd[pam]] [pam_print_data] (4): domain: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): user: brian (1257778320) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778320) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778320) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778320) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): pw_uid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): gr_gid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778320) [sssd[pam]] [sss_dp_send_acct_req_create] (4): Sending request for [KRB][1][core][name=brian] (1257778321) [sssd[pam]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (1257778321) [sssd[pam]] [pam_dp_send_req] (4): Sending request with the following data: (1257778321) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: KRB (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): pw_uid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): gr_gid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778321) [sssd[pam]] [pam_dom_forwarder] (4): pam_dp_send_req returned 0 (1257778321) [sssd[pam]] [pam_dp_process_reply] (4): received: [0][KRB] (1257778321) [sssd[pam]] [pam_reply] (4): pam_reply get called. (1257778321) [sssd[pam]] [pam_reply] (4): pam_reply get called. (1257778321) [sssd[pam]] [pam_reply] (4): blen: 131 (1257778321) [sssd[pam]] [pam_cmd_acct_mgmt] (4): entering pam_cmd_acct_mgmt (1257778321) [sssd[pam]] [pam_print_data] (4): command: 243 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): pw_uid: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): gr_gid: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778321) [sssd[pam]] [pam_dp_send_req] (4): Sending request with the following data: (1257778321) [sssd[pam]] [pam_print_data] (4): command: 243 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: KRB (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): pw_uid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): gr_gid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778321)
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/09/2009 09:56 AM, Brian J. Murrell wrote: On Mon, 2009-11-09 at 15:47 +0100, Sumit Bose wrote: yes, can you send the log files for the gnome-screensaver case ? Sure. Nothing new in the krb5_child.log, however, sssd_pam.log: (1257778320) [sssd[pam]] [accept_fd_handler] (4): Client connected! (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Received client version [3]. (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Offered version [3]. (1257778320) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate (1257778320) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778320) [sssd[pam]] [pam_print_data] (4): domain: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): user: brian (1257778320) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778320) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778320) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778320) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): pw_uid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): gr_gid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778320) [sssd[pam]] [sss_dp_send_acct_req_create] (4): Sending request for [KRB][1][core][name=brian] (1257778321) [sssd[pam]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (1257778321) [sssd[pam]] [pam_dp_send_req] (4): Sending request with the following data: (1257778321) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: KRB (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): pw_uid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): gr_gid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778321) [sssd[pam]] [pam_dom_forwarder] (4): pam_dp_send_req returned 0 (1257778321) [sssd[pam]] [pam_dp_process_reply] (4): received: [0][KRB] (1257778321) [sssd[pam]] [pam_reply] (4): pam_reply get called. (1257778321) [sssd[pam]] [pam_reply] (4): pam_reply get called. (1257778321) [sssd[pam]] [pam_reply] (4): blen: 131 (1257778321) [sssd[pam]] [pam_cmd_acct_mgmt] (4): entering pam_cmd_acct_mgmt (1257778321) [sssd[pam]] [pam_print_data] (4): command: 243 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): pw_uid: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): gr_gid: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778321) [sssd[pam]] [pam_dp_send_req] (4): Sending request with the following data: (1257778321) [sssd[pam]] [pam_print_data] (4): command: 243 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: KRB (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321)
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, 2009-11-09 at 10:06 -0500, Stephen Gallagher wrote: Please also attach sssd_KRB5.log. That is more likely to have the relevant information. Not at all I'm afraid. The last timestamp I have in that file is 1257770543 and the last timestamp of the gnome-screensaver use that I sent previously was 1257778321, a full 2h and 10 minutes after the sssd_pam.log. And just to confirm, I just used gnome-screensaver again, and nothing new was appended to /var/log/sssd/sssd_KRB.log. b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, Nov 09, 2009 at 09:56:24AM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 15:47 +0100, Sumit Bose wrote: yes, can you send the log files for the gnome-screensaver case ? Sure. Nothing new in the krb5_child.log, however, sssd_pam.log: Does this mean you are still seeing [Credentials cache I/O operation failed XXX] in krb5_child.log? (1257778320) [sssd[pam]] [accept_fd_handler] (4): Client connected! (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Received client version [3]. (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Offered version [3]. (1257778320) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate (1257778320) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778320) [sssd[pam]] [pam_print_data] (4): domain: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): user: brian (1257778320) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778320) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778320) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778320) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): pw_uid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): gr_gid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778320) [sssd[pam]] [sss_dp_send_acct_req_create] (4): Sending request for [KRB][1][core][name=brian] (1257778321) [sssd[pam]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (1257778321) [sssd[pam]] [pam_dp_send_req] (4): Sending request with the following data: (1257778321) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: KRB (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): pw_uid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): gr_gid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778321) [sssd[pam]] [pam_dom_forwarder] (4): pam_dp_send_req returned 0 (1257778321) [sssd[pam]] [pam_dp_process_reply] (4): received: [0][KRB] this indicates that everything is ok, please send krb5_child.log, if possible with debug level 10. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Sat, 2009-11-07 at 20:02 -0500, Simo Sorce wrote: It should work, any chance you can check if this fails to work with master as well ? Master fails in a completely different way: Nov 8 18:19:41 laptop login[17852]: pam_sss(login:auth): user info: [Credentials cache I/O operation failed XXX] Nov 8 18:19:41 laptop login[17852]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=brian Nov 8 18:19:41 laptop login[17852]: pam_sss(login:auth): received for user brian: 4 (System error) b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Sat, 2009-11-07 at 15:32 -0500, Brian J. Murrell wrote: I've got SSSD 0.7.1 installed on a laptop here for my wife. She authenticates with kerberos on that laptop via sssd. So, when she first logs in, sssd manages to get her a tgt and everything is good. However when gnome-screensaver locks her screen and she uses her (kerberos of course) password to unlock it, there does not seem to be any tgt renewal happening like it did with pam_krb5.so. Have I configured something incorrectly? The domain I created for kerberos looks like: [domain/KRB] auth_provider = krb5 cache_credentials = true enumerate = true id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap ldap_user_search_base = ou=People,dc=interlinx,dc=bc,dc=ca ldap_group_search_base = ou=Group,dc=interlinx,dc=bc,dc=ca tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt krb5_kdcip = 10.75.22.3 krb5_realm = ILINX krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XX krb5_auth_timeout = 15 Have I done something incorrectly? It should work, any chance you can check if this fails to work with master as well ? Otherwise just open a bug and we will verify asap. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel