Now that RHEL8 is out, our site is again looking at whether it would
be feasible to change our default Kerberos credentials storage from
the kernel persistent keyring to sssd-kcm.
Unfortunately, the answer still seems to be no, as we haven't been
able to find a way to get Kerberos ticket forwarding
(GSSAPIDelegateCredentials, in OpenSSH parlance) working when using
sssd-kcm as the credentials storage mechanism on the target host (the
one the credentials are being delegated to).
With the target host (the one the credentials are being delegated to)
using "default_ccache_name = KEYRING:persistent:%{uid}" in krb5.conf,
this is what sshd debugging shows:
debug1: temporarily_use_uid: 123456789/987654321 (e=0/0)
debug3: ssh_krb5_cc_new_unique: called
debug3: ssh_krb5_get_cctemplate: called
debug3: ssh_krb5_expand_template: called, template = KEYRING:persistent:%{uid}
debug3: ssh_krb5_get_cctemplate: returning with ccname =
KEYRING:persistent:123456789
debug3: ssh_krb5_cc_new_unique: setting default ccname to
KEYRING:persistent:123456789
debug3: ssh_krb5_cc_new_unique: calling
cc_new_unique(KEYRING:persistent:123456789)
debug3: ssh_krb5_cc_new_unique: calling cc_switch()
debug1: restore_uid: 0/0
In contrast, with "default_ccache_name = KCM:" in /etc/krb5.conf:
debug1: temporarily_use_uid: 123456789/987654321 (e=0/0)
debug3: ssh_krb5_cc_new_unique: called
debug3: ssh_krb5_get_cctemplate: called
debug3: ssh_krb5_expand_template: called, template = KCM:
debug3: ssh_krb5_get_cctemplate: returning with ccname = KCM:
debug3: ssh_krb5_cc_new_unique: setting default ccname to KCM:
debug3: ssh_krb5_cc_new_unique: calling cc_new_unique(KCM:)
debug3: ssh_krb5_cc_new_unique: calling cc_switch()
ssh_krb5_cc_new_unique(): Matching credential not found
debug1: restore_uid: 0/0
So, when sssd-kcm is in use, ssh_krb5_expand_template() fails, instead
of returning what would be expect in this case, which (based on the
kernel persistent keyring case) would be "KCM:123456789".
sssd_kcm.log contains:
(Fri May 10 12:33:34 2019) [sssd[kcm]] [get_client_cred] (0x4000):
Client creds: euid[123456789] egid[987654321] pid[8661].
(Fri May 10 12:33:34 2019) [sssd[kcm]] [setup_client_idle_timer]
(0x4000): Idle timer re-set for client [0x560fd598dc10][14]
(Fri May 10 12:33:34 2019) [sssd[kcm]] [accept_fd_handler] (0x0400):
Client connected!
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_input_parse] (0x1000):
Received message with length 4
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_get_opt] (0x2000): The
client requested operation 3
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_cmd_send] (0x0400): KCM
operation GEN_NEW
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_cmd_send] (0x1000): 0
bytes on KCM input
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_op_queue_send] (0x0200):
Adding request by 123456789 to the wait queue
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_op_queue_get] (0x1000): No
existing queue for this ID
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_op_queue_send] (0x1000):
Queue was empty, running the request immediately
(Fri May 10 12:33:34 2019) [sssd[kcm]] [ccdb_secdb_nextid_send]
(0x1000): Generating a new ID
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_map_path] (0x1000):
Mapping prefix /kcm/
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_map_url_to_path] (0x1000):
User-specific KCM path is [/kcm/persistent/123456789/ccache/]
(Fri May 10 12:33:34 2019) [sssd[kcm]] [local_db_dn] (0x2000): Local
path for [persistent/123456789/ccache/] is
[cn=ccache,cn=123456789,cn=persistent,cn=kcm]
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_new_req] (0x1000):
Local DB path is persistent/123456789/ccache/
(Fri May 10 12:33:34 2019) [sssd[kcm]] [secdb_container_url_req]
(0x2000): Created request for URL /kcm/persistent/123456789/ccache/
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_list] (0x0400):
Listing keys at [persistent/123456789/ccache/]
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_list] (0x2000):
Searching for [(type=simple)] at
[cn=ccache,cn=123456789,cn=persistent,cn=kcm] with scope=subtree
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_list] (0x1000): No secrets found
(Fri May 10 12:33:34 2019) [sssd[kcm]] [ccdb_secdb_nextid_send]
(0x1000): Generated next ID 39355
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_ccdb_nextid_done]
(0x1000): generated 123456789:39355
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_op_gen_new_done] (0x1000):
Generated a new ID 123456789:39355
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_cmd_done] (0x0400): KCM
operation GEN_NEW returned [0]: Success
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_send_reply] (0x2000):
Sending a reply
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_output_construct]
(0x1000): Sending a reply with 20 bytes of payload
(Fri May 10 12:33:34 2019) [sssd[kcm]] [queue_removal_cb] (0x0200):
Removed queue for 123456789
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_send] (0x2000): All data sent!
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_input_parse] (0x1000):
Received message with length 20
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_get_opt] (0x2000): The
client requested operation 21
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_cmd_send] (0x0400): KCM
operation SET_DEFAULT_CACHE
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_cmd_send] (0x1000): 16
bytes on KCM input
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_op_queue_send] (0x0200):
Adding request by 123456789 to the wait queue
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_op_queue_get] (0x1000): No
existing queue for this ID
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_op_queue_send] (0x1000):
Queue was empty, running the request immediately
(Fri May 10 12:33:34 2019) [sssd[kcm]]
[kcm_op_set_default_ccache_send] (0x1000): Setting default ccache
123456789:39355
(Fri May 10 12:33:34 2019) [sssd[kcm]] [ccdb_secdb_uuid_by_name_send]
(0x2000): Translating name to UUID
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_map_path] (0x1000):
Mapping prefix /kcm/
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_map_url_to_path] (0x1000):
User-specific KCM path is [/kcm/persistent/123456789/ccache/]
(Fri May 10 12:33:34 2019) [sssd[kcm]] [local_db_dn] (0x2000): Local
path for [persistent/123456789/ccache/] is
[cn=ccache,cn=123456789,cn=persistent,cn=kcm]
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_new_req] (0x1000):
Local DB path is persistent/123456789/ccache/
(Fri May 10 12:33:34 2019) [sssd[kcm]] [secdb_container_url_req]
(0x2000): Created request for URL /kcm/persistent/123456789/ccache/
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_list] (0x0400):
Listing keys at [persistent/123456789/ccache/]
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_list] (0x2000):
Searching for [(type=simple)] at
[cn=ccache,cn=123456789,cn=persistent,cn=kcm] with scope=subtree
(Fri May 10 12:33:34 2019) [sssd[kcm]] [sss_sec_list] (0x1000): No secrets found
(Fri May 10 12:33:34 2019) [sssd[kcm]] [key_by_name] (0x0080): The
container was not found
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_ccdb_uuid_by_name_done]
(0x0040): Failed to resolve cache by UUID [1432158218]: No credentials
available
(Fri May 10 12:33:34 2019) [sssd[kcm]]
[kcm_op_set_default_ccache_getbyname_done] (0x0040): Cannot get ccache
by name [1432158218]: No credentials available
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_cmd_done] (0x0040): op
receive function failed [1432158218]: No credentials available
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_cmd_request_done]
(0x0040): KCM operation failed [1432158218]: No credentials available
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_reply_error] (0x0040): KCM
operation returs failure [1432158218]: No credentials available
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_failbuf_construct]
(0x1000): Sent reply with error -1765328243
(Fri May 10 12:33:34 2019) [sssd[kcm]] [queue_removal_cb] (0x0200):
Removed queue for 123456789
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_send] (0x2000): All data sent!
(Fri May 10 12:33:34 2019) [sssd[kcm]] [kcm_recv] (0x4000): Client
closed connection.
(Fri May 10 12:33:34 2019) [sssd[kcm]] [client_close_fn] (0x2000):
Terminated client [0x560fd598dc10][14]
So, sssd-kcm definitely failed. This aligns with what sshd saw.
If I pre-create the cache on the target server (e.g., by running kinit
against a different principal) and repeat the experiment, sssd-kcm
still fails, but the debug output is slightly different:
(Fri May 10 12:56:27 2019) [sssd[kcm]] [get_client_cred] (0x4000):
Client creds: euid[123456789] egid[987654321] pid[8844].
(Fri May 10 12:56:27 2019) [sssd[kcm]] [setup_client_idle_timer]
(0x4000): Idle timer re-set for client [0x5589715428e0][14]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [accept_fd_handler] (0x0400):
Client connected!
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_input_parse] (0x1000):
Received message with length 4
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_get_opt] (0x2000): The
client requested operation 3
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_cmd_send] (0x0400): KCM
operation GEN_NEW
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_cmd_send] (0x1000): 0
bytes on KCM input
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_op_queue_send] (0x0200):
Adding request by 123456789 to the wait queue
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_op_queue_get] (0x1000): No
existing queue for this ID
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_op_queue_send] (0x1000):
Queue was empty, running the request immediately
(Fri May 10 12:56:27 2019) [sssd[kcm]] [ccdb_secdb_nextid_send]
(0x1000): Generating a new ID
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_map_path] (0x1000):
Mapping prefix /kcm/
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_map_url_to_path] (0x1000):
User-specific KCM path is [/kcm/persistent/123456789/ccache/]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [local_db_dn] (0x2000): Local
path for [persistent/123456789/ccache/] is
[cn=ccache,cn=123456789,cn=persistent,cn=kcm]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_new_req] (0x1000):
Local DB path is persistent/123456789/ccache/
(Fri May 10 12:56:27 2019) [sssd[kcm]] [secdb_container_url_req]
(0x2000): Created request for URL /kcm/persistent/123456789/ccache/
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_list] (0x0400):
Listing keys at [persistent/123456789/ccache/]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_list] (0x2000):
Searching for [(type=simple)] at
[cn=ccache,cn=123456789,cn=persistent,cn=kcm] with scope=subtree
(Fri May 10 12:56:27 2019) [sssd[kcm]] [local_dn_to_path] (0x2000):
Secrets path for
[cn=2c095c7e-978f-498c-aa46-f1641ac45545-123456789,cn=ccache,cn=123456789,cn=persistent,cn=kcm]
is [2c095c7e-978f-498c-aa46-f1641ac45545-123456789]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_list] (0x1000):
Returning 1 secrets
(Fri May 10 12:56:27 2019) [sssd[kcm]] [ccdb_secdb_nextid_send]
(0x1000): Generated next ID 39355
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_ccdb_nextid_done]
(0x1000): generated 123456789:39355
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_op_gen_new_done] (0x1000):
Generated a new ID 123456789:39355
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_cmd_done] (0x0400): KCM
operation GEN_NEW returned [0]: Success
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_send_reply] (0x2000):
Sending a reply
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_output_construct]
(0x1000): Sending a reply with 20 bytes of payload
(Fri May 10 12:56:27 2019) [sssd[kcm]] [queue_removal_cb] (0x0200):
Removed queue for 123456789
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_send] (0x2000): All data sent!
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_input_parse] (0x1000):
Received message with length 20
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_get_opt] (0x2000): The
client requested operation 21
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_cmd_send] (0x0400): KCM
operation SET_DEFAULT_CACHE
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_cmd_send] (0x1000): 16
bytes on KCM input
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_op_queue_send] (0x0200):
Adding request by 123456789 to the wait queue
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_op_queue_get] (0x1000): No
existing queue for this ID
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_op_queue_send] (0x1000):
Queue was empty, running the request immediately
(Fri May 10 12:56:27 2019) [sssd[kcm]]
[kcm_op_set_default_ccache_send] (0x1000): Setting default ccache
123456789:39355
(Fri May 10 12:56:27 2019) [sssd[kcm]] [ccdb_secdb_uuid_by_name_send]
(0x2000): Translating name to UUID
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_map_path] (0x1000):
Mapping prefix /kcm/
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_map_url_to_path] (0x1000):
User-specific KCM path is [/kcm/persistent/123456789/ccache/]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [local_db_dn] (0x2000): Local
path for [persistent/123456789/ccache/] is
[cn=ccache,cn=123456789,cn=persistent,cn=kcm]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_new_req] (0x1000):
Local DB path is persistent/123456789/ccache/
(Fri May 10 12:56:27 2019) [sssd[kcm]] [secdb_container_url_req]
(0x2000): Created request for URL /kcm/persistent/123456789/ccache/
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_list] (0x0400):
Listing keys at [persistent/123456789/ccache/]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_list] (0x2000):
Searching for [(type=simple)] at
[cn=ccache,cn=123456789,cn=persistent,cn=kcm] with scope=subtree
(Fri May 10 12:56:27 2019) [sssd[kcm]] [local_dn_to_path] (0x2000):
Secrets path for
[cn=2c095c7e-978f-498c-aa46-f1641ac45545-123456789,cn=ccache,cn=123456789,cn=persistent,cn=kcm]
is [2c095c7e-978f-498c-aa46-f1641ac45545-123456789]
(Fri May 10 12:56:27 2019) [sssd[kcm]] [sss_sec_list] (0x1000):
Returning 1 secrets
(Fri May 10 12:56:27 2019) [sssd[kcm]] [key_by_name] (0x2000): No key matched
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_ccdb_uuid_by_name_done]
(0x0040): Failed to resolve cache by UUID [1432158218]: No credentials
available
(Fri May 10 12:56:27 2019) [sssd[kcm]]
[kcm_op_set_default_ccache_getbyname_done] (0x0040): Cannot get ccache
by name [1432158218]: No credentials available
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_cmd_done] (0x0040): op
receive function failed [1432158218]: No credentials available
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_cmd_request_done]
(0x0040): KCM operation failed [1432158218]: No credentials available
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_reply_error] (0x0040): KCM
operation returs failure [1432158218]: No credentials available
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_failbuf_construct]
(0x1000): Sent reply with error -1765328243
(Fri May 10 12:56:27 2019) [sssd[kcm]] [queue_removal_cb] (0x0200):
Removed queue for 123456789
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_send] (0x2000): All data sent!
(Fri May 10 12:56:27 2019) [sssd[kcm]] [kcm_recv] (0x4000): Client
closed connection.
(Fri May 10 12:56:27 2019) [sssd[kcm]] [client_close_fn] (0x2000):
Terminated client [0x5589715428e0][14]
Before I dig into this further, or go file a support request with Red
Hat, has anyone been able to get sssd-kcm to successfully accept
forwarded credentials from sshd on RHEL8? If so, what did you have to
set or tweak to get it to work?
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
