Debian Bug report logs - #1033164
krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Karl O. Pinc" <kop@karlpinc.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name

Date: Sat, 18 Mar 2023 14:40:17 -0500

Package: krb5-doc
Severity: normal

Hi,

I have not actually setup the necessary environment to reproduce this
bug on Debian, but I have (tried to) examine the source code and
believe the bug exists in Debian.  I do know that this bug exists on
Ubuntu, and have examined the Ubuntu-specific patches and found
nothing that I can see affects the bug.

Here is a copy of the Ubuntu bug report:

The krb5 documentation says that DEFCCNAME is /tmp/krb5cc_%{uid}. But
actual credential cache file names look like:
/tmp/krb5cc_127408622_wH2NwY

Setting [libdefaults] default_ccache_name to krb5cc_%{uid} in
/etc/krb5.conf produces the expected credential cache file.

Unless you know this, using "mutiuser" in fstab with cifs/samba/smb
mounts is nigh impossible.


The Ubuntu bug can be found at:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2012140

Above /tmp/krb5cc_127408622_wH2NwY cached credential file produced by
an MS Active Directory user login.

(This bug also makes username= cifs mounts fail.)

Apologies if this bug report is nothing but noise.  But I'd like to
get the attention of somebody, so cifs/smb3 per-user mounts don't take
gobs of research.  I will file a related cifs-utils bug and update this
bug with the bug number.  I'm hoping that a "kerberos person" can easily
verify the issue and so I'm not wasting too much of your time.

Thanks.

-- System Information:
Debian Release: 11.6
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-21-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Message #10 received at 1033164@bugs.debian.org (full text, mbox, reply):

From: "Karl O. Pinc" <kop@karlpinc.com>

To: 1033164@bugs.debian.org

Subject: Samba mount bug related to using the wrong krb5 credential cache

Date: Sat, 18 Mar 2023 15:06:56 -0500

Debian bug #986168

Message #15 received at 1033164@bugs.debian.org (full text, mbox, reply):

From: Benjamin Kaduk <kaduk@mit.edu>

To: "Karl O. Pinc" <kop@karlpinc.com>, 1033164@bugs.debian.org

Subject: Re: Bug#1033164: krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name

Date: Sun, 19 Mar 2023 17:08:01 -0700

Hmm, on my local machines (one running Debian, one running Ubuntu) I appear
to be seeing the expected default /tmp/krb5cc_%{uid} behavior.
I couldn't quite follow how your credentials were obtained; were they
perhaps obtained as part of the login process?  The PAM configuration might
well be relevant in that case.

-Ben

Message #20 received at 1033164@bugs.debian.org (full text, mbox, reply):

From: Andreas Hasenack <andreas@canonical.com>

To: Benjamin Kaduk <kaduk@mit.edu>, 1033164@bugs.debian.org

Cc: "Karl O. Pinc" <kop@karlpinc.com>

Subject: Re: Bug#1033164: krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name

Date: Mon, 20 Mar 2023 09:27:39 -0300

The extra randomness suffix happens when you login via ssh/gssapi.

On Sun, Mar 19, 2023 at 9:09 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
> Hmm, on my local machines (one running Debian, one running Ubuntu) I appear
> to be seeing the expected default /tmp/krb5cc_%{uid} behavior.
> I couldn't quite follow how your credentials were obtained; were they
> perhaps obtained as part of the login process?  The PAM configuration might
> well be relevant in that case.
>
> -Ben
>

Message #25 received at 1033164@bugs.debian.org (full text, mbox, reply):

From: "Karl O. Pinc" <kop@karlpinc.com>

To: Andreas Hasenack <andreas@canonical.com>

Cc: Benjamin Kaduk <kaduk@mit.edu>, 1033164@bugs.debian.org

Subject: Re: Bug#1033164: krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name

Date: Mon, 20 Mar 2023 12:31:08 -0500

On Mon, 20 Mar 2023 09:27:39 -0300
Andreas Hasenack <andreas@canonical.com> wrote:

> The extra randomness suffix happens when you login via ssh/gssapi.

That is exactly how I'm logging in, authenticating credentials with 
MS Active Directory, with configuration set in /etc/sssd/sssd.conf
and /etc/krb5.conf -- after joining with the "realm" command.

Winbind is not involved. And /etc/samba/smb.conf is involved only in
so far as setting "server role = member server" and
"kerberos method = secrets and keytab" (and realm and workgroup).
But smb.conf is involved only in so far as it is needed to mount
shares with a type of smb3 and sec=krb5.
Without making any changes to smb.conf I can login and
see the a credential cache file in /tmp/ with the extra randomness
suffix.  So the addition of the suffix does not seem to involve
smb.conf.

To be honest, I'm unclear on the involvement of gssapi.  There's
nothing in /etc/pam.d/ which invokes pam_sss_gss.so, and there's nothing
explicit in /etc/sssd/sssd.conf mentioning gss.  And sssd.conf(5)
seems to indicate that gssapi is not used unless explicitly configured.
So, without really knowing what gssapi does, I dont' see it being
called.  Yet I believe I've
seen log entries, or something, at some point while I was doing lots
of poking with a stick, that mentioned gssapi.  I suppose I could be
wrong.  Yup, here's a sample (there are other log entries from auditd):

sssd[15755]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.

There are also various messages involving adcli, and some from
ldap_child.

Thanks for the help.


> 
> On Sun, Mar 19, 2023 at 9:09 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
> >
> > Hmm, on my local machines (one running Debian, one running Ubuntu)
> > I appear to be seeing the expected default /tmp/krb5cc_%{uid}
> > behavior. I couldn't quite follow how your credentials were
> > obtained; were they perhaps obtained as part of the login process?
> > The PAM configuration might well be relevant in that case.
> >
> > -Ben
> >  
> 


Regards,

Karl <kop@karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Message #30 received at 1033164@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: "Karl O. Pinc" <kop@karlpinc.com>, 1033164-done@bugs.debian.org, Andreas Hasenack <andreas@canonical.com>

Cc: Benjamin Kaduk <kaduk@mit.edu>, 1033164@bugs.debian.org

Subject: Re: Bug#1033164: krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name

Date: Mon, 20 Mar 2023 12:16:58 -0600

>>>>> "Karl" == Karl O Pinc <kop@karlpinc.com> writes:

    Karl> On Mon, 20 Mar 2023 09:27:39 -0300
    Karl> Andreas Hasenack <andreas@canonical.com> wrote:

    >> The extra randomness suffix happens when you login via
    >> ssh/gssapi.

    Karl> That is exactly how I'm logging in, authenticating credentials
    Karl> with MS Active Directory, with configuration set in
    Karl> /etc/sssd/sssd.conf and /etc/krb5.conf -- after joining with
    Karl> the "realm" command.

pam_sssd always adds randomness to the cache name.
So, this is not an issue with krb5; pam_sssd is explicitly setting
KRB5CCNAME environment variable.

Message #40 received at 1033164@bugs.debian.org (full text, mbox, reply):

From: "Karl O. Pinc" <kop@karlpinc.com>

To: "Debian Bug Tracking System" <owner@bugs.debian.org>

Cc: 1033164@bugs.debian.org

Subject: Re: Bug#1033164 closed by Sam Hartman <hartmans@debian.org> (Re: Bug#1033164: krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name)

Date: Mon, 20 Mar 2023 13:31:03 -0500

> From: Sam Hartman <hartmans@debian.org>
> To: "Karl O. Pinc" <kop@karlpinc.com>, 1033164-done@bugs.debian.org, Andreas  Hasenack <andreas@canonical.com>
> Cc: Benjamin Kaduk <kaduk@mit.edu>, 1033164@bugs.debian.org
> Subject: Re: Bug#1033164: krb5-doc: The documented DEFCCNAME is, probably,  not the actual credential cache name
> Date: Mon, 20 Mar 2023 12:16:58 -0600
> 
> >>>>> "Karl" == Karl O Pinc <kop@karlpinc.com> writes:  
> 
>     Karl> On Mon, 20 Mar 2023 09:27:39 -0300
>     Karl> Andreas Hasenack <andreas@canonical.com> wrote:  
> 
>     >> The extra randomness suffix happens when you login via
>     >> ssh/gssapi.  
> 
>     Karl> That is exactly how I'm logging in, authenticating credentials
>     Karl> with MS Active Directory, with configuration set in
>     Karl> /etc/sssd/sssd.conf and /etc/krb5.conf -- after joining with
>     Karl> the "realm" command.  
> 
> pam_sssd always adds randomness to the cache name.
> So, this is not an issue with krb5; pam_sssd is explicitly setting
> KRB5CCNAME environment variable.

Thanks for the help with this.  Much appreciated.

Regards,

Karl <kop@karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Message #45 received at 1033164@bugs.debian.org (full text, mbox, reply):

From: "Karl O. Pinc" <kop@karlpinc.com>

To: Sam Hartman <hartmans@debian.org>

Cc: 1033164-done@bugs.debian.org, Andreas Hasenack <andreas@canonical.com>, Benjamin Kaduk <kaduk@mit.edu>, 1033164@bugs.debian.org

Subject: Re: Bug#1033164: krb5-doc: The documented DEFCCNAME is, probably, not the actual credential cache name

Date: Mon, 20 Mar 2023 14:26:58 -0500

On Mon, 20 Mar 2023 12:16:58 -0600
Sam Hartman <hartmans@debian.org> wrote: 

> pam_sssd always adds randomness to the cache name.
> So, this is not an issue with krb5; pam_sssd is explicitly setting
> KRB5CCNAME environment variable.

As an FYI, I don't see any of the above documented (Ubuntu 22.04.2 LTS)
in pam_sss(8) or pam_sss_gss(8).  (I can't find a man page for
pam_sssd.)  Further, the krb5_ccname_template section of sssd-krb5(5)
indicates that the default is the kerberos DEFCCNAME, as it refers
to krb5.conf(5), the libdefaults section.

So that makes it all a bit confusing.  But I'm going to focus on 
my problems getting cifs.upcall working, getting it the "right"
ccname, and leave these documentation issues for others.
(I mean, I can _make_ cifs.upcall work, but getting there
was painful.  It should work better out of the box.)

Anyway, again, thanks all for the help.

Regards,

Karl <kop@karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Send a report that this bug log contains spam.