On (03/10/23 21:15), Francis Augusto Medeiros-Logeay wrote: >Hi, > >We had a mechanism to allow users to mount their directory by using a user >systemd service that runs mount (with sudo). > >Since we use kerberos on that operation, we’d add > >Defaults env_keep += «KRB5CCNAME" > >To a sudoers.d file. > >This worked pretty well, but then we moved to KCM: instead of FILE:. > >Is there a way we can preserve access to KCM tickets for a user when he uses >sudo? >
Ticket are preserved. But sssd-kcm generate "search path" based on connected client and if you run it with sudo UID changes e.g. ``` sh$ KRB5CCNAME=KCM:1000:35443 klist -l Principal name Cache name -------------- ---------- [email protected] KCM:1000:35443 (Expired) ``` and now with sudo ``` sh$ KRB5CCNAME=KCM:1000:35443 sudo --preserve-env=KRB5CCNAME klist -l Principal name Cache name -------------- ---------- ``` One can see that in sssd-kcm logs [get_client_cred] (0x4000): Client [0x55ccd532d700][14] creds: euid[0] egid[0] pid[354693] cmd_line['klist']. [kcm_input_parse] (0x1000): [CID#9] Received message with length 15 [kcm_get_opt] (0x2000): [CID#9] The client requested operation 8 [kcm_cmd_send] (0x0400): [CID#9] KCM operation GET_PRINCIPAL [kcm_op_get_principal_send] (0x1000): [CID#9] Requested principal 1000:35443 ^^^^^^^^^^ sure; there was 1000 in KRB5CCNAME [ccdb_secdb_getbyname_send] (0x2000): [CID#9] Getting ccache by name [local_db_dn] (0x2000): [CID#9] Local path for [persistent/0/ccache/] is [cn=ccache,cn=0,cn=persistent,cn=kcm] [sss_sec_new_req] (0x1000): [CID#9] Local DB path is persistent/0/ccache/ [secdb_container_url_req] (0x2000): [CID#9] Created request for URL persistent/0/ccache/ [sss_sec_list] (0x0400): [CID#9] Listing keys at [persistent/0/ccache/] [sss_sec_list] (0x2000): [CID#9] Searching at [cn=ccache,cn=0,cn=persistent,cn=kcm] with scope=subtree ^^^^ but connected cliend had `euid[0] egid[0]` one can see that on the 1st line and therefore sssd search for ccaches stored for user with UID 0 * https://github.com/SSSD/sssd/blob/66c0a2d00b872db77d59efb41bac66df0cf04c26/src/responder/kcm/kcmsrv_ccache_secdb.c#L39 * https://github.com/SSSD/sssd/blob/66c0a2d00b872db77d59efb41bac66df0cf04c26/src/responder/kcm/kcmsrv_ccache_secdb.c#L115 LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
