[Bug 2072581] Re: sssd 2.9.4-1 fails to populate krb creds when set to FILE:/run/user/uid/krb5cc

Sat Jul 13 14:57:56 UTC 2024

I have a shim workaround to manage/consolidate all krb ticket caches
under systemd that now works with the user tmpfs directories. This
drastically improves the user experience to that to MS Windows for all
suers that ssh/gdm login, with smartcard/pcscd optimizations.  Perhaps
some day I will document it and publish it, or attempt to see if we can
de-fracture the kerberos stack on linux in general.

we can close this ticket.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2072581

Title:
  sssd 2.9.4-1 fails to populate krb creds when set to
  FILE:/run/user/uid/krb5cc

Status in openssh package in Ubuntu:
  New

Bug description:
  sssd fails to create and populate the krb5cc cache when set to 
      default_ccache_name = FILE:/run/user/%{uid}/krb5cc

  /var/log/sssd/krb5_child.log shows directory being created and krb5cc attempting to be populated, but fails.
  (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x3f7c0): [RID#51] pac_check is set but PAC responder is not running, failed to properly validate PAC, ignored, authentication for [USER\@REALM at REALM] can proceed.
  (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x0040): [RID#51] sss_send_pac failed, group membership for user with principal [USER\@REALM at REALM] might not be correct.
  ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x0400): [RID#51] krb5_child started.
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [unpack_buffer] (0x1000): [RID#51] total buffer size: [155]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [unpack_buffer] (0x0100): [RID#51] cmd [241 (auth)] uid [966406121] gid [966400513] validate [true] enterprise principal [true] offline [false] UPN [USER at REALM]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [unpack_buffer] (0x0100): [RID#51] ccname: [FILE:/run/user/966406121/krb5cc] old_ccname: [FILE:/run/user/966406121/krb5cc] keytab: [not set]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [check_keytab_name] (0x0400): [RID#51] Missing krb5_keytab option for domain, looking for default one
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [check_keytab_name] (0x0400): [RID#51] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [check_keytab_name] (0x0400): [RID#51] krb5_child will default to: /etc/krb5.keytab
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [check_use_fast] (0x0100): [RID#51] Not using FAST.
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [old_ccache_valid] (0x0400): [RID#51] Saved ccache FILE:/run/user/966406121/krb5cc doesn't exist, ignoring
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [k5c_check_old_ccache] (0x4000): [RID#51] Ccache_file is [FILE:/run/user/966406121/krb5cc] and is not active and TGT is not valid.
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [k5c_precreate_ccache] (0x4000): [RID#51] Recreating ccache
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [create_ccache_dir] (0x2000): [RID#51] Creating directory [/run/user/966406121].
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [privileged_krb5_setup] (0x0080): [RID#51] Cannot open the PAC responder socket
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [become_user] (0x0200): [RID#51] Trying to become user [966406121][966400513].
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x2000): [RID#51] Running as [966406121][966400513].
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [set_lifetime_options] (0x0100): [RID#51] Renewable lifetime is set to [30d]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [set_lifetime_options] (0x0100): [RID#51] Lifetime is set to [24h]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [set_canonicalize_option] (0x0100): [RID#51] Canonicalization is set to [true]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x0400): [RID#51] Will perform auth
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [main] (0x0400): [RID#51] Will perform online auth
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [tgt_req_child] (0x1000): [RID#51] Attempting to get a TGT
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [get_and_save_tgt] (0x0400): [RID#51] Attempting kinit for realm [REALM]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [sss_krb5_responder] (0x4000): [RID#51] Got question [password].
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [sss_krb5_expire_callback_func] (0x2000): [RID#51] exp_time: [14591489]
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x2000): [RID#51] Found keytab entry with the realm of the credential.
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x0400): [RID#51] TGT verified using key for [HOST$@REALM].
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [sss_send_pac] (0x4000): [RID#51] NSS return code [-1], request return code [111][Connection refused].
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [sss_send_pac] (0x0080): [RID#51] failed to contact PAC responder
     *  (2024-07-09 14:02:17): [krb5_child[3348]] [validate_tgt] (0x0040): [RID#51] sss_send_pac failed, group membership for user with principal [USER\@REALM at REALM] might not be correct.
  ********************** BACKTRACE DUMP ENDS HERE *********************************

  This behavior is not an issue in u22's sssd-2.6.3 and prior

  No LSB modules are available.
  Description:	Ubuntu 24.04 LTS
  Release:	24.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2072581/+subscriptions