| Summary: | >net-fs/cifs-utils-6.5: cifs-upcall breaks compatibility with sys-auth/sssd | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sergey Popov <pinkbyte> |
| Component: | Current packages | Assignee: | Gentoo's SAMBA Team <samba> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | hwoarang |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Long story short: newer versions of cifs-utils does not expand name of Kerberos ticket cache and just uses default. For example, this is output from autofs mounter on old version: Apr 13 14:15:57 oas1 cifs.upcall: ver=2 Apr 13 14:15:57 oas1 cifs.upcall: host=srv.dstu.local Apr 13 14:15:57 oas1 cifs.upcall: ip=10.6.0.104 Apr 13 14:15:57 oas1 cifs.upcall: sec=1 Apr 13 14:15:57 oas1 cifs.upcall: uid=1000 Apr 13 14:15:57 oas1 cifs.upcall: creduid=1000 Apr 13 14:15:57 oas1 cifs.upcall: user=root Apr 13 14:15:57 oas1 cifs.upcall: pid=25173 Apr 13 14:15:57 oas1 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_1000_t50ihw Apr 13 14:15:57 oas1 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_1000_t50ihw is valid ccache Apr 13 14:15:57 oas1 cifs.upcall: handle_krb5_mech: getting service ticket for antey.dstu.local Apr 13 14:15:57 oas1 cifs.upcall: handle_krb5_mech: obtained service ticket Apr 13 14:15:57 oas1 cifs.upcall: Exit status 0 And this is - for new one: Apr 13 14:11:54 oas1 cifs.upcall: ver=2 Apr 13 14:11:54 oas1 cifs.upcall: host=srv.dstu.local Apr 13 14:11:54 oas1 cifs.upcall: ip=10.6.0.104 Apr 13 14:11:54 oas1 cifs.upcall: sec=1 Apr 13 14:11:54 oas1 cifs.upcall: uid=1000 Apr 13 14:11:54 oas1 cifs.upcall: creduid=1000 Apr 13 14:11:54 oas1 cifs.upcall: user=root Apr 13 14:11:54 oas1 cifs.upcall: pid=24780 Apr 13 14:11:54 oas1 cifs.upcall: get_cachename_from_process_env: pathname=/proc/24780/environ Apr 13 14:11:54 oas1 cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 Apr 13 14:11:54 oas1 cifs.upcall: get_tgt_time: unable to get principal Apr 13 14:11:54 oas1 cifs.upcall: krb5_get_init_creds_keytab: -1765328378 The key difference is how it kerberos cache is detected. Problem is: sssd does not allow to override cache name if it does not contain randomization(i think it is to prevent accidental overwriting of cache file). So, i can't tell sssd to to use plain "/tmp/krb5cc_${UID}" and as get_cachename_from_process_env does not return valid cache file name - things just does not work. What i have tried: new versions of cifs-utils(up to 6.8 inclusively), newer versions of sssd(up to 1.15.3, not in portage) - no success.