Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 985107 - Please change the default location for Kerberos credential caches to DIR:/run/usr/UID/krb5cc
Summary: Please change the default location for Kerberos credential caches to DIR:/run...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-16 19:34 UTC by Nalin Dahyabhai
Modified: 2014-02-06 18:32 UTC (History)
8 users (show)

Fixed In Version: samba-4.0.8-1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-09 17:09:15 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Samba Project 10043 None None None Never

Description Nalin Dahyabhai 2013-07-16 19:34:42 UTC
Description of problem:
As part of the Fedora features https://fedoraproject.org/wiki/Features/KRB5CacheMove and https://fedoraproject.org/wiki/Features/KRB5DirCache, we'd like to have winbind's ccache management facility store a user's Kerberos credentials in the per-user /run/user/$UID directory.

Specifically, either on F19 and later, or if you prefer, if the default name returned by krb5_cc_default_name() begins with "DIR:", instead of storing credentials in "FILE:/tmp/krb5cc_%d", we'd like to use "DIR:/run/user/%d/krb5cc" instead.  There's a bit more work involved, since on subsequent saves you'll probably want to locate an extant ccache in the collection rather than create a new one, but hopefully that's manageable.

Version-Release number of selected component (if applicable):
samba-winbind-4.0.7-1.fc19 (based on conversation in bug #796429)

Comment 3 Andreas Schneider 2013-07-22 11:14:51 UTC
Günther and I implemented it last week in Samba. It can be configured by setting krb5_cc_type in pam_winbind.conf.

We need a bug for authconfig to change it to DIR or DIR:/run/user/%u/krb5cc once we have the patch in Samba.

Comment 4 Andreas Schneider 2013-07-24 09:35:37 UTC
You can define the location by setting:

krb5_ccache_type = DIR:/run/user/%u/krb5cc

in /etc/security/pam_winbind.conf now.

Comment 5 Fedora Update System 2013-07-24 12:57:01 UTC
samba-4.0.7-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/samba-4.0.7-3.fc19

Comment 6 Fedora Update System 2013-07-25 00:33:18 UTC
Package samba-4.0.7-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing samba-4.0.7-3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-13541/samba-4.0.7-3.fc19
then log in and leave karma (feedback).

Comment 7 David Woodhouse 2013-07-26 12:53:01 UTC
How is /run/user/${uid}/ supposed to be created?

Testing this with 'su dwoodhou' from another user, I found /run/user/501/krb5cc owned by root.root. I removed the entire /run/user/501 directory, then tried 'su dwoodhou' again. And it didn't get recreated.

I created it manually, and now the krb5cc directory is *slightly* saner. Now it's owned by the 'dwoodhou' user at least, and the 'root' group:

[dwoodhou@i7 dwmw2]$ ls -la /run/user/501/krb5cc/
total 12
drwx------. 2 dwoodhou root       80 Jul 26 13:50 .
drwxr-xr-x. 3 dwoodhou dwoodhou   60 Jul 26 13:50 ..
-rw-------. 1 dwoodhou root        4 Jul 26 13:50 primary
-rw-------. 1 dwoodhou root     5922 Jul 26 13:50 tkt

Comment 8 David Woodhouse 2013-07-26 12:59:30 UTC
I have an odd setup here. My local username is 'dwmw2' not 'dwoodhou' for historical reasons. So I don't usually *use* the 'dwoodhou' local user for anything but this kind of test, and I actually use 'wbinfo -K dwoodhou' after logging in as dwmw2.

That still puts the krb5cc in the old location though:

[dwmw2@i7 ~]$ rm /tmp/krb5cc_500 
[dwmw2@i7 ~]$ wbinfo -K dwoodhou
Enter dwoodhou's password: 
plaintext kerberos password authentication for [dwoodhou] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_500
[dwmw2@i7 ~]$ klist
klist: No credentials cache found (ticket cache DIR::/run/user/500/krb5cc/tkt)
[dwmw2@i7 ~]$ ls -l /tmp/krb5cc_500
-rw-------. 1 dwmw2 root 5922 Jul 26 13:56 /tmp/krb5cc_500
[dwmw2@i7 ~]$ 


Using '--pam-login=dwoodhou' doesn't seem to create a creds cache *anywhere*, for *either* user. Although a real PAM login would.

Comment 9 David Woodhouse 2013-07-26 13:04:54 UTC
And 'ssh dwoodhou@localhost' results in no ccache, and:

kinit failed for 'dwoodhou@GER.CORP.INTEL.COM' with: No credentials cache found (-1765328189)
ads_kdestroy: krb5_cc_resolve failed: No credentials cache found
winbindd_raw_kerberos_login: could not destroy krb5 credential cache: No credentials cache found
ads_kdestroy: krb5_cc_destroy failed: No credentials cache found
falling back to samlogon


[dwmw2@i7 ~]$ sudo rm -rf /run/user/501
[dwmw2@i7 ~]$ ssh dwoodhou@localhost
dwoodhou@localhost's password: 
Last login: Fri Jul 26 14:04:05 2013 from localhost.localdomain
[dwoodhou@i7 ~]$ ls -l /run/user/501
total 0
[dwoodhou@i7 ~]$

Comment 10 Fedora Update System 2013-08-05 16:11:31 UTC
samba-4.0.8-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/samba-4.0.8-1.fc19

Comment 11 Fedora Update System 2013-08-09 17:09:15 UTC
samba-4.0.8-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Brian J. Murrell 2014-02-06 17:13:46 UTC
Is it not feasible for samba to read the location from krb5.conf like everything else does rather than having to configure the same thing in a different location?

I guess that's an upstream issue though.

Comment 13 Brian J. Murrell 2014-02-06 17:24:10 UTC
And I can confirm "wbinfo -K" does not use the:

krb5_ccache_type = DIR:/run/user/%u/krb5cc

that I added to /etc/security/pam_winbind.conf:

$ wbinfo -K brian
Enter brian's password: 
plaintext kerberos password authentication for [brian] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_1001

So can we reopen this ticket for this failure?

Comment 14 Alexander Bokovoy 2014-02-06 17:24:10 UTC
Samba uses multiple ccaches for different purposes. It is downstream-specific detail where they are placed since it is more of a distribution policy. So no need to handle it at upstream, we already have means to handle specific locations.

Comment 15 David Woodhouse 2014-02-06 17:59:35 UTC
We have the means to handle the specific locations but ISTR the stumbling block was *creating* the /run/user/%u/ directory at the appropriate time.

For that reason I have configured my users' systems to use the old-style FILE ccache in /tmp. Not quite sure what provoked Brian to revert that change, but it's a timely reminder for me to chase this up...

Comment 16 Alexander Bokovoy 2014-02-06 18:00:25 UTC
wbinfo has --krb5ccname option to pass the non-default ccache name.

winbindd unserstands other types of ccaches (KEYRING: and DIR:) but since request comes over unix domain socket, it cannot assume the calling party knows about these other types and defaults to a safe FILE: default.

Comment 17 Brian J. Murrell 2014-02-06 18:19:06 UTC
(In reply to Alexander Bokovoy from comment #16)
> wbinfo has --krb5ccname option to pass the non-default ccache name.

Ahhh.  That's not documented in the manpage.  In any case, that doesn't seem to be working here:

$ wbinfo --krb5ccname DIR:/run/user/1001/krb5cc -K brian
Enter brian's password: 
plaintext kerberos password authentication for [brian] succeeded (requesting cctype: DIR:/run/user/1001/krb5cc)

It says it's writing it but it doesn't actually get written:

$ ls -l /run/user/1001/krb5cc
ls: cannot access /run/user/1001/krb5cc: No such file or directory

(In reply to David Woodhouse from comment #15)
> Not quite sure what provoked Brian to revert that
> change

Multiple realm support.

Comment 18 Alexander Bokovoy 2014-02-06 18:32:25 UTC
(In reply to Brian J. Murrell from comment #17)
> (In reply to Alexander Bokovoy from comment #16)
> > wbinfo has --krb5ccname option to pass the non-default ccache name.
> 
> Ahhh.  That's not documented in the manpage.  In any case, that doesn't seem
> to be working here:
> 
> $ wbinfo --krb5ccname DIR:/run/user/1001/krb5cc -K brian
> Enter brian's password: 
> plaintext kerberos password authentication for [brian] succeeded (requesting
> cctype: DIR:/run/user/1001/krb5cc)
> 
> It says it's writing it but it doesn't actually get written:
> 
> $ ls -l /run/user/1001/krb5cc
> ls: cannot access /run/user/1001/krb5cc: No such file or directory
This is exactly what couldn't be fixed from Samba side because /run/user/%u/krb5cc is privileged and cannot be created by libkrb5. We had quite a discussion in F19 time with systemd folks on how to solve it (see fedora development mailing list archives) which resulted in creating KEYRING: ccache type. Unfortunately, KEYRING: is limited in how other processes can access it.


Note You need to log in before you can comment on or make changes to this bug.