Hi,

we have a number of issues with session caching in Kerberos ccaches:

- MIT Kerberos FILE: ccache code does always append entries, so we end
  up with ever growing ccache files. In KEYRING: case we are lucky that
  add_key syscall actually updates the key with the same name.

- MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove
  cred from ccache. Corresponding functions simply return
  KRB5_CC_NOSUPP;

As result, using FILE: ccache type does not allow us to override our
session cookie stored as a config entry in the ccache. Successive runs
of ipa CLI create new entries in the ccache:

# strings /tmp/root.cc|grep -A3 krb5_ccache_conf_data
krb5_ccache_conf_data
fast_avail
krbtgt/xs.ipa.c...@xs.ipa.cool
XS.IPA.COOL
--
krb5_ccache_conf_data
pa_type
krbtgt/xs.ipa.c...@xs.ipa.cool
XS.IPA.COOL
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
ad...@xs.ipa.cool
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188185818841;
 Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:09:45 GMT; Secure; 
HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
ad...@xs.ipa.cool
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188233395149;
 Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:10:33 GMT; Secure; 
HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
ad...@xs.ipa.cool
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188672108356;
 Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:17:52 GMT; Secure; 
HttpOnly

The output above is after three successive runs.

Once we put cookie in the FILE: ccache, it cannot be removed from there
and cannot be replaced. Also, as retrieval code in krb5_cc_get_conf()
ends up calling krb5_cc_retrieve_cred() with 0 flags and only has a cred
principal name constructed out of a our conf key (X-IPA-Session_Cookie),
none of the matching logic for "most recent ticket" could be applied.

I have a workaround as https://github.com/freeipa/freeipa/pull/638 that
allows to recover in a case we are using KEYRING: ccache type and server
denies to accept our cookie -- happens within about 10-15 minutes after
last time cookie was used -- but I have no solution for FILE: ccaches.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to