Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 653094 - >net-fs/cifs-utils-6.5: cifs-upcall breaks compatibility with sys-auth/sssd
Summary: >net-fs/cifs-utils-6.5: cifs-upcall breaks compatibility with sys-auth/sssd
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo's SAMBA Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-13 11:21 UTC by Sergey Popov (RETIRED)
Modified: 2021-09-10 10:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Popov (RETIRED) gentoo-dev 2018-04-13 11:21:03 UTC 
Long story short: newer versions of cifs-utils does not expand name of Kerberos ticket cache and just uses default.

For example, this is output from autofs mounter on old version:

Apr 13 14:15:57 oas1 cifs.upcall: ver=2
Apr 13 14:15:57 oas1 cifs.upcall: host=srv.dstu.local
Apr 13 14:15:57 oas1 cifs.upcall: ip=10.6.0.104
Apr 13 14:15:57 oas1 cifs.upcall: sec=1
Apr 13 14:15:57 oas1 cifs.upcall: uid=1000
Apr 13 14:15:57 oas1 cifs.upcall: creduid=1000
Apr 13 14:15:57 oas1 cifs.upcall: user=root
Apr 13 14:15:57 oas1 cifs.upcall: pid=25173
Apr 13 14:15:57 oas1 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_1000_t50ihw
Apr 13 14:15:57 oas1 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_1000_t50ihw is valid ccache
Apr 13 14:15:57 oas1 cifs.upcall: handle_krb5_mech: getting service ticket for antey.dstu.local
Apr 13 14:15:57 oas1 cifs.upcall: handle_krb5_mech: obtained service ticket
Apr 13 14:15:57 oas1 cifs.upcall: Exit status 0

And this is - for new one:

Apr 13 14:11:54 oas1 cifs.upcall: ver=2
Apr 13 14:11:54 oas1 cifs.upcall: host=srv.dstu.local
Apr 13 14:11:54 oas1 cifs.upcall: ip=10.6.0.104
Apr 13 14:11:54 oas1 cifs.upcall: sec=1
Apr 13 14:11:54 oas1 cifs.upcall: uid=1000
Apr 13 14:11:54 oas1 cifs.upcall: creduid=1000
Apr 13 14:11:54 oas1 cifs.upcall: user=root
Apr 13 14:11:54 oas1 cifs.upcall: pid=24780
Apr 13 14:11:54 oas1 cifs.upcall: get_cachename_from_process_env: pathname=/proc/24780/environ 
Apr 13 14:11:54 oas1 cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 
Apr 13 14:11:54 oas1 cifs.upcall: get_tgt_time: unable to get principal
Apr 13 14:11:54 oas1 cifs.upcall: krb5_get_init_creds_keytab: -1765328378


The key difference is how it kerberos cache is detected.

Problem is: sssd does not allow to override cache name if it does not contain randomization(i think it is to prevent accidental overwriting of cache file). 

So, i can't tell sssd to to use plain "/tmp/krb5cc_${UID}" and as get_cachename_from_process_env does not return valid cache file name - things just does not work.

What i have tried: new versions of cifs-utils(up to 6.8 inclusively), newer versions of sssd(up to 1.15.3, not in portage) - no success.