Rework krb5cc handling logic #699
Conversation
GabrielNagy
force-pushed
the
krb5cc-symlink-handling
branch
3 times, most recently
from
7da1eeb
to
5cb1f6c
Compare
GabrielNagy
force-pushed
the
krb5cc-symlink-handling
branch
from
5cb1f6c
to
326decb
Compare
Codecov Report
@@ Coverage Diff @@
## main #699 +/- ##
==========================================
- Coverage 84.73% 84.57% -0.16%
==========================================
Files 75 75
Lines 8177 8229 +52
==========================================
+ Hits 6929 6960 +31
- Misses 936 950 +14
- Partials 312 319 +7
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
GabrielNagy
force-pushed
the
krb5cc-symlink-handling
branch
from
326decb
to
b269169
Compare
There was a problem hiding this comment.
Nice work! It’s always almost a deception when you see how much the investigation took compared to the "fix" (or rather workaround here). Well done!
I have one small request to make the whole logic more understandable in the future (I think, as an admin, I open the cache and see directly what is in use).
However, I wonder about the coverage. Codecov is not really helpful as it doesn’t show up the file diff change. Do you think that some tests in ad_test.go could be added to trigger some uncovered tests and not only relying on the integration tests to cover it?
(I’m thinking in particular about a test with ticket, ad, get it, then updating the ticket, ad away, -> copy was refreshed)
GabrielNagy
force-pushed
the
krb5cc-symlink-handling
branch
2 times, most recently
from
54583e2
to
fd98e17
Compare
|
@didrocks sorry for the aggresive force-pushing 😊 the only changes are in the first and last commit (which is newly added). |
I was on the starting block to complain, but now that you apologized… :p |
There was a problem hiding this comment.
I’m not sure I’m fully following the logic here (in addition to the comment I mentioned).
I don’t see the symlink to be reused anywhere after being created. The idea is that any "all policy updates" (so, without explicit env variable to get the ticket), should get the real ticket location from the symlink and assess if a copy refresh is in order? I may be missing it completely, but I even reopened the file to see if there is any hidden logic I’m missing.
If I am correct, it means that we are missing a test to setup something for a given user, then, modifying ticket and ask for a refresh without pointing to that user in particular, and check that the copy has been refreshed.
That's a very good observation which I totally missed, thanks for that. I've now updated the implementation to attempt the copy even if an explicit krb5ccname is not passed and validated the behavior with a package test. |
No worry, I think that shows we should have an automated test for this behavior in the |
|
I agree, that's why I added one :P. Let me know if this is what you had in mind. |
Following the Heimdal issues surfaced after the samba 4.16.0 release we have to rethink the krb5cc handling logic with the following in mind: - we can no longer use symlinks as Kerberos tickets - the ticket has to be owned by the running user (in our case root) This is not related to a change in samba itself, but to the Kerberos implementation vendored in samba (Heimdal Kerberos). Between samba 4.15.0 and 4.16.0 there has been a massive update in the vendored code, pulling in around 10 years worth of changes[1]. Among these changes we were able to find information confirming the 2 issues above, and we concluded they are not considered to be bugs in the upstream implementation[2] (and related issue [3]). Another important thing to note is that the issues above do not manifest if samba is compiled and linked against the MIT Kerberos library. However, MIT Kerberos appears to still be considered experimental (as of today), and neither Ubuntu or other distros are compiling samba with MIT Kerberos. As such, we have to work around these "issues" within adsys. Instead of tracking the ticket's lifetime using a symlink, we rely on the following approach: * still track original ticket with a symlink * copy the ticket as a root-owned ticket * track refresh with timestamps on the symlink itself. Ticket copies will be stored under KRB5CACHEDIR, whereas symlinks will reside under KRB5CACHEDIR/tracking. Closes UDENG-289 [1] samba-team/samba@40b65c8 [2] heimdal/heimdal@2a56548 [3] heimdal/heimdal#306
I believe that with the previous commit we've uncovered a small bug in the krb5cc symlink logic. More specifically, in these tests we were creating symlinks to a nonexistent path (ccache_OFFLINE) due to the sssd configuration. Because the presence of the source file wasn't enforced in `ensureKrb5CCName` (filepath.Abs doesn't ensure the path actually exists), this went unnoticed until now. This was only a problem in the offline tests which didn't go to our samdb mock, which would have caught the dangling symlink issue. Now that we do the additonal copy action the failure becomes visible. The fix is simple, we just have to create the cached sssd ticket using the appropriate domain name.
Employ a write to temp & rename workflow to ensure we're not left in a broken state if the write fails midway.
GabrielNagy
force-pushed
the
krb5cc-symlink-handling
branch
from
2390a97
to
2097c9c
Compare
When checking for active users, symlinks are now followed, and users with dangling symlinks will now be silently ignored.
When upgrading from a previous version of the package it's highly likely to have the previous krb5cc structure in /var/run/krb5cc, with symlinks at the top level. We need to make sure we overwrite previous symlinks with the hard copy in this case.
GabrielNagy
force-pushed
the
krb5cc-symlink-handling
branch
from
f7484bd
to
535d60f
Compare
Following the Heimdal issues surfaced after the samba 4.16.0 release we have to rethink the krb5cc handling logic with the following in mind:
This is not related to a change in samba itself, but to the Kerberos implementation vendored in samba (Heimdal Kerberos). Between samba 4.15.0 and 4.16.0 there has been a massive update in the vendored code, pulling in around 10 years worth of changes. Among these changes we were able to find information confirming the 2 issues above, and we concluded they are not considered to be bugs in the upstream implementation (and related issue).
Another important thing to note is that the issues above do not manifest if samba is compiled and linked against the MIT Kerberos library. However, MIT Kerberos appears to still be considered experimental (as of today), and neither Ubuntu or other distros are compiling samba with MIT Kerberos.
As such, we have to work around these "issues" within adsys. Instead of tracking the ticket's lifetime using a symlink, we rely on the following approach:
Symlinks will remain stored under KRB5CACHEDIR, whereas the actual copies will reside under KRB5CACHEDIR/tickets.
Closes UDENG-289