On Fri, 2012-05-04 at 18:31 +0200, Stef Walter wrote: > If krb5_canonicalize is not present or is True in sssd.conf, then sssd > asks krb5_get_init_creds_keytab() to canonicalize principals. This can > change the client principal. When writing out the credential cache, we > should use this changed principal, and not the original one. > > Failure to do this results in errors when LDAP tries to use the > credential cache: ... > This is because the default principal in the credential cache does not > match any of the credentials: > > [root@stef-desktop data]# klist > FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN > Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN > Default principal: STEF-DESKTOP$@AD.THEWALTER.LAN > > Valid starting Expires Service principal > 04/11/12 12:01:01 04/11/12 22:00:48 > krbtgt/ad.thewalter....@ad.thewalter.lan > for client stef-desktop$@AD.THEWALTER.LAN, renew until 04/12/12 12:01:01 > > Note the difference in capitalization. > > This bug is present in SSSD git master. > > Will attach simple patch which fixes the problem. An alternate patch > would be to use krb5_get_init_creds_opt_set_out_ccache() instead of > writing the credential cache in sssd code.
Thanks for the patch! Just a few things: Please add a comment stating the reason to use my_creds.client instead of kprinc so future developers don't get confused. Also, this change needs to be made to src/providers/krb5/krb5_child.c as well. From discussion on IRC, "create_ccache_file() could lose the krb5_principal argument and always use the one in the creds".
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
