Bug#584211: sssd: Using wrong KRB5 credentials cache file

[FladischerMichael]

Package: sssd
Version: 1.2.0-1
Severity: normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

After the upgrade of sssd to 1.2.0 I can no longer log into my dovecot
IMAP server.
Running `sssd -d 10` during a login attempt I get this:

(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [sbus_message_handler]
(9): Received SBUS method [pamHandler]
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [be_pam_handler] (4):
Got request with the following data
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
command: PAM_AUTHENTICATE
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
domain: FLADI.AT
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
user: FladischerMichael
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
service: dovecot
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
tty: dovecot
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
ruser: FladischerMichael
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
rhost: ::1
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
authtok type: 1
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
authtok size: 6
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
newauthtok type: 0
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
newauthtok size: 0
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
priv: 0
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]] [pam_print_data] (4):
cli_pid: 18207
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]]
[krb5_get_user_attr_done] (9): Using simple UPN
[fladischermich...@fladi.at].
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]]
[check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1014_dpYK7G]
exists, but is owned by [1014] instead of [1006].
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]]
[krb5_get_user_attr_done] (1): check_if_ccache_file_is_used failed.
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]]
[be_pam_handler_callback] (4): Backend returned: (0, 4, NULL)
[Success]
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]]
[be_pam_handler_callback] (4): Sending result [4][FLADI.AT]
(Wed Jun  2 11:45:04 2010) [sssd[be[FLADI.AT]]]
[be_pam_handler_callback] (4): Sent result [4][FLADI.AT]

It seems as sssd is trying to use the wrong krb5cc-file for my UID:
1006 is the UIDnumber that attempts the login which fails (me).
1014 belongs to another user who is logged in through SSH and IMAP at
the same time.


- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sssd depends on:
ii  libc-ares21.7.1-0library for asyncronous name resol
ii  libc6 2.11.1-2   Embedded GNU C Library: Shared lib
ii  libcomerr21.41.12-1  common error description library
ii  libdbus-1-3   1.2.24-1   simple interprocess messaging syst
ii  libk5crypto3  1.8.1+dfsg-5   MIT Kerberos runtime libraries - C
ii  libkrb5-3 1.8.1+dfsg-5   MIT Kerberos runtime libraries
ii  libldap-2.4-2 2.4.21-1   OpenLDAP libraries
ii  libldb0   1:0.9.10~git20100203-1 LDAP-like embedded database - shar
ii  libnspr4-0d   4.8.4-1NetScape Portable Runtime Library
ii  libnss3-1d3.12.6-2   Network Security Service libraries
ii  libpam0g  1.1.1-3Pluggable Authentication Modules l
ii  libpcre3  8.02-1 Perl 5 Compatible Regular Expressi
ii  libpopt0  1.16-1 lib for parsing cmdline parameters
ii  libselinux1   2.0.94-1   SELinux runtime shared libraries
ii  libsemanage1  2.0.45-1   SELinux policy management library.
ii  libtalloc22.0.1-1hierarchical pool based memory all
ii  libtdb1   1.2.1-2Trivial Database - shared library
ii  libtevent00.9.8-1talloc-based event loop library - 
ii  python2.5.4-9An interactive high-level object-o
ii  python-sss1.2.0-1Pam module for the System Security

sssd recommends no packages.

sssd suggests no packages.

- -- no debconf information

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwGKYEACgkQeJ3z1zFMUGah/wCaAzNdJgncOhHx5l0rnQ363kSL
iywAoIT8oNZYylCsGWoCc+6kQekDXYIo
=EdrF
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#584211: sssd: Using wrong KRB5 credentials cache file

[Petter Reinholdtsen]

[Fladischer Michael]
 After a bit of investigation it seems that this was caused by a
 malicious entry in /var/lib/sss/db/cache_FLADI.AT.ldb (FLADI.AT is my
 KRB5 doamin) in the ccacheFile attribute for both users. Somehow the
 values got swapped:

Hm.  I have no idea what can cause this.  I was told by upstream
before we upgraded from 1.0.5 to 1.2.0 that the cache file on disk
hadn't changed format, and expected an upgrade to work out of the box.

I see Stephen Gallagher, one of the upstream developers, is aware of
this issue, and hope he have suggestions on what to do here.

 Removing the file /var/lib/sss/db/cache_FLADI.AT.ldb and restarting
 sssd afterwards solved the problem.  I was not able to reproduce it
 so far.

Good to hear that you found a workaround.

Perhaps we have to remove the cache during upgrades to avoid the
problem?  It might break machines without access to their LDAP server
or Kerberos server when they upgrade, so I am reluctant to do that.

Happy hacking,
-- 
Petter Reinholdtsen





-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org