If a user logs in by forwarding krb credentials AND then subsequently uses a password to then acquire credentials, krb5_child gets confused to which ticket cache to use.
steps to reproduce
- configure the host to use KEYRING in krb5.conf
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
- reboot
- login as network user with password, klist and note ccache name (1) and logout
- login as network user with -K (forwarding tickets), list and note new ccache name (2) (klist -A shows both) logout
- login as network user with password, credentials now empty (klist and klist -A). Note that the second cache is updated (2) instead of populating (1). but the KRB5CCNAME is set to cache (1) making network resources unavailable to the user by default.
Noted from krb5_child logs:
(2023-12-21 9:05:00): [krb5_child[5278]] [get_and_save_tgt] (0x2000): [RID#21] Running as [966406121][966400513].
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_get_ccache_name_for_principal] (0x4000): [RID#21] Location: [KEYRING:persistent:966406121]
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_get_ccache_name_for_principal] (0x4000): [RID#21] tmp_ccname: [KEYRING:persistent:966406121:krb_ccache_nbZc7EF]
(2023-12-21 9:05:00): [krb5_child[5278]] [create_ccache] (0x4000): [RID#21] Initializing ccache of type [KEYRING]
(2023-12-21 9:05:00): [krb5_child[5278]] [create_ccache] (0x4000): [RID#21] CC supports switch
(2023-12-21 9:05:00): [krb5_child[5278]] [create_ccache] (0x4000): [RID#21] returning: 0
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_krb5_check_ccache_princ] (0x0040): [RID#21] 402: [-1765328189][Credentials cache keyring 'persistent:966406121:krb_ccache_S2HYDYd' not found]
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_krb5_check_ccache_princ] (0x0020): [RID#21] krb5_cc_get_principal failed.
(2023-12-21 9:05:00): [krb5_child[5278]] [safe_remove_old_ccache_file] (0x0400): [RID#21] New and old ccache file are the same, none will be deleted.
(2023-12-21 9:05:00): [krb5_child[5278]] [k5c_send_data] (0x0200): [RID#21] Received error code 0
If a user logs in by forwarding krb credentials AND then subsequently uses a password to then acquire credentials, krb5_child gets confused to which ticket cache to use.
steps to reproduce
Noted from krb5_child logs:
(2023-12-21 9:05:00): [krb5_child[5278]] [get_and_save_tgt] (0x2000): [RID#21] Running as [966406121][966400513].
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_get_ccache_name_for_principal] (0x4000): [RID#21] Location: [KEYRING:persistent:966406121]
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_get_ccache_name_for_principal] (0x4000): [RID#21] tmp_ccname: [KEYRING:persistent:966406121:krb_ccache_nbZc7EF]
(2023-12-21 9:05:00): [krb5_child[5278]] [create_ccache] (0x4000): [RID#21] Initializing ccache of type [KEYRING]
(2023-12-21 9:05:00): [krb5_child[5278]] [create_ccache] (0x4000): [RID#21] CC supports switch
(2023-12-21 9:05:00): [krb5_child[5278]] [create_ccache] (0x4000): [RID#21] returning: 0
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_krb5_check_ccache_princ] (0x0040): [RID#21] 402: [-1765328189][Credentials cache keyring 'persistent:966406121:krb_ccache_S2HYDYd' not found]
(2023-12-21 9:05:00): [krb5_child[5278]] [sss_krb5_check_ccache_princ] (0x0020): [RID#21] krb5_cc_get_principal failed.
(2023-12-21 9:05:00): [krb5_child[5278]] [safe_remove_old_ccache_file] (0x0400): [RID#21] New and old ccache file are the same, none will be deleted.
(2023-12-21 9:05:00): [krb5_child[5278]] [k5c_send_data] (0x0200): [RID#21] Received error code 0