If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one.
Failure to do this results in errors when LDAP tries to use the credential cache: [19310] 1334138369.931274: Initializing FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default principal STEF-DESKTOP$@AD.THEWALTER.LAN [19310] 1334138369.945192: Removing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/ad.thewalter....@ad.thewalter.lan from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [19310] 1334138369.945221: Storing stef-desktop$@AD.THEWALTER.LAN -> krbtgt/ad.thewalter....@ad.thewalter.lan in FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on [1334174369] (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [18211] 1334138369.946687: ccselect can't find appropriate cache for server principal ldap/dc.ad.thewalter.lan@ [18211] 1334138369.946754: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946769: Getting credentials STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [18211] 1334138369.946802: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946830: Retrying STEF-DESKTOP$@AD.THEWALTER.LAN -> ldap/dc.ad.thewalter....@ad.thewalter.lan with result: -1765328243/Matching credential not found [18211] 1334138369.946836: Server has referral realm; starting with ldap/dc.ad.thewalter....@ad.thewalter.lan [18211] 1334138369.946863: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/ad.thewalter....@ad.thewalter.lan from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946891: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN -> krbtgt/ad.thewalter....@ad.thewalter.lan from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] This is because the default principal in the credential cache does not match any of the credentials: [root@stef-desktop data]# klist FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN Valid starting Expires Service principal 04/11/12 12:01:01 04/11/12 22:00:48 krbtgt/ad.thewalter....@ad.thewalter.lan for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12 12:01:01 Note the difference in capitalization. This bug is present in SSSD git master. Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code. Cheers, Stef
>From 3c59af5d61fa0eb0618acb3f097c51b04234e077 Mon Sep 17 00:00:00 2001 From: Stef Walter <st...@gnome.org> Date: Wed, 11 Apr 2012 12:12:57 +0200 Subject: [PATCH] If canon'ing principals, write ccache with updated default principal * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518 --- src/providers/ldap/ldap_child.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 81604d7..e8bce85 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -296,7 +296,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, goto done; } - krberr = krb5_cc_initialize(context, ccache, kprinc); + krberr = krb5_cc_initialize(context, ccache, my_creds.client); if (krberr) { DEBUG(2, ("Failed to init ccache: %s\n", sss_krb5_get_error_message(context, krberr))); -- 1.7.10
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
