Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KCM erroneously changes primary cache when renewing credentials #6357

Closed
qralston opened this issue Sep 20, 2022 · 3 comments
Closed

KCM erroneously changes primary cache when renewing credentials #6357

qralston opened this issue Sep 20, 2022 · 3 comments
Assignees
@aplopez
Labels
Bugzilla Closed: Fixed Issue was closed as fixed. Future work Prioritize

Comments

@qralston
Copy link

I work on multiple systems in multiple domains, so whenever I start my workday, I knit to acquire all of the credentials I need:

  • user1@DOMAIN1.EXAMPLE.ORG
  • user2@DOMAIN1.EXAMPLE.ORG
  • user3@DOMAIN1.EXAMPLE.ORG
  • user1@DOMAIN2.EXAMPLE.ORG
  • user2@DOMAIN2.EXAMPLE.ORG
  • user3@DOMAIN2.EXAMPLE.ORG
  • user1@DOMAIN3.EXAMPLE.ORG
  • user2@DOMAIN3.EXAMPLE.ORG
  • user1@DOMAIN4.EXAMPLE.ORG

I have the sssd krb5_renew_interval option set to 1h, which enables KCM ticket renewal. I will also periodically renew tickets myself. (E.g., if I am finishing up work for the day, if I am working on my laptop, before I close its lid to suspend it, I will renew all of my credentials, so that they don’t expire overnight when the laptop is suspended and KCM cannot renew them.)

The main domain I work in is user1@DOMAIN1.EXAMPLE.ORG, so whenever I kinit, I always run kswitch -p user1@DOMAIN1.EXAMPLE.ORG to switch the primary cache back to user1@DOMAIN1.EXAMPLE.ORG. E.g.:

$ klist
Ticket cache: KCM:116201957:35652
Default principal: user1@DOMAIN1.EXAMPLE.ORG

Valid starting       Expires              Service principal
2022-09-20 10:11:45  2022-09-21 10:11:37  krbtgt/DOMAIN1.EXAMPLE.ORG@DOMAIN1.EXAMPLE.ORG
        renew until 2022-09-27 10:11:37

But: if KCM renews credentials, it will leave the primary cache set to an arbitrary credential—likely (I suspect) the last credential it renewed. So after a while, I can run klist again and see (e.g.):

$ klist
Ticket cache: KCM:116201957:56094
Default principal: user3@DOMAIN2.EXAMPLE.ORG

Valid starting       Expires              Service principal
2022-09-20 15:11:45  2022-09-21 15:11:37  krbtgt/DOMAIN2.EXAMPLE.ORG@DOMAIN2.EXAMPLE.ORG
        renew until 2022-09-27 15:11:37

Having KCM silently switch the primary cache underneath me breaks workflows. For example, one of the reasons why I set user1@DOMAIN1.EXAMPLE.ORG as the primary cache is because I interact with internal web sites that perform GSSAPI authentication using that credential. And when KCM switches the default credential out from underneath me, it breaks my interaction with those web sites.

This is an error. It is a welcome feature that KCM can automatically renew credentials in the cache, but KCM must restore the correct primary cache after it performs its renewal operations. From the user’s perspective, KCM must not change the primary cache.

I see this behavior on the latest RHEL9 sssd, sssd-2.6.2-4.el9_0.1.
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Nov 4, 2022
edited
Loading

RHBZs:

@aplopez
Copy link
Contributor

aplopez commented Mar 20, 2023
edited
Loading

It seems @justin-stephenson was right in his analysis:
https://bugzilla.redhat.com/show_bug.cgi?id=2143925#c14

In other words, his analysis looks right to me and it worked when I tried it.

aplopez added a commit to aplopez/sssd that referenced this issue Mar 20, 2023
@aplopez
KCM: Switch default caches only when there is no current default.
4e7ce78 
Only when there was a current default cache
(uuid_is_null(old_dfl_uuid) == false), the default cache was switched.
This condition is wrong. It should be its negation so that the
cache is switched when there is no current default.

Resolves: SSSD#6357
@aplopez aplopez mentioned this issue Mar 20, 2023
Closed
aplopez added a commit to aplopez/sssd that referenced this issue Mar 20, 2023
@aplopez
KCM: Switch default caches only when there is no current default.
23e44fc 
Only when there was a current default cache
(uuid_is_null(old_dfl_uuid) == false), the default cache was switched.
This condition should be negated so that the cache is switched when
there is no current default.

Resolves: SSSD#6357
pbrezina pushed a commit that referenced this issue Mar 27, 2023
@aplopez @pbrezina
KCM: Switch default caches only when there is no current default.
767234a 
Only when there was a current default cache
(uuid_is_null(old_dfl_uuid) == false), the default cache was switched.
This condition should be negated so that the cache is switched when
there is no current default.

Resolves: #6357

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 55e27a4)
@pbrezina
Copy link
Member

Pushed PR: #6632

  • master
    • 55e27a4 - KCM: Switch default caches only when there is no current default.
  • sssd-2-8
    • 767234a - KCM: Switch default caches only when there is no current default.

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Mar 27, 2023
@qralston qralston mentioned this issue Apr 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aplopez aplopez

Labels
Bugzilla Closed: Fixed Issue was closed as fixed. Future work Prioritize
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

KCM: Switch default caches only when there is no current default. aplopez/sssd
5 participants
@qralston @justin-stephenson @aplopez @pbrezina @alexey-tikhonov