Are non-FILE credential caches supported?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Are non-FILE credential caches supported?

Marcin Cieslak-3
Hello,

There is a bug report (https://github.com/heimdal/heimdal/issues/355) saying
that using FILE: credential cache designator does not work. Interestingly enough,
it works for me (FreeBSD 11.1, heimdal 7.5.0 from FreeBSD ports).

Trying to use other cache types causes strange errors though:

With /home/saper/.krb5cc directory existing an attempt to set in /etc/krb5.conf

[libdefaults]
        default_cc_name = DIR:/home/saper/.krb5cc

cauces kinit crash because we explicitly pass NULL to dcc_resolve() in dcache.c:362:

% gdb /usr/local/bin/kinit
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
(gdb) run
Starting program: /usr/local/bin/kinit

Program received signal SIGSEGV, Segmentation fault.
dcc_resolve (context=0x803846000, id=0x0, res=0x803835020 "/home/saper/.krb5cc")
    at dcache.c:362
362    (*id)->data.data = dc;
Current language:  auto; currently minimal
(gdb) bt
#0  dcc_resolve (context=0x803846000, id=0x0, res=0x803835020 "/home/saper/.krb5cc")
    at dcache.c:362
#1  0x0000000800ee9d0d in dcc_get_cache_first (context=0x803846000, cursor=0x8038421f8)
    at dcache.c:568
#2  0x0000000800ed4799 in krb5_cc_cache_get_first (context=0x803846000,
    type=0x800f3f4e4 "DIR", cursor=0x8038421d8) at cache.c:1145
#3  0x0000000800ed4c42 in krb5_cccol_cursor_next (context=0x803846000,
    cursor=0x8038421d0, cache=0x7fffffffe1f8) at cache.c:1532
#4  0x0000000800ed48f0 in krb5_cc_cache_match (context=0x803846000,
    client=0x8038353a0, id=0x7fffffffe3c8) at cache.c:1227
#5  0x0000000000403cc1 in main (argc=0, argv=0x7fffffffe870) at kinit.c:1315

Looking at the code it seems to me that "DIR" ccache type is simply not implemented.

With
        default_cc_name = SCC:/home/saper/krb5cc.sqlite

it is even more intersting.

kinit seems to ignore the file part and always creates SCC:/tmp/krb5scc_%{uid}:

% ls -l /tmp/krb5scc_169
-rw-------  1 saper  wheel  20480 22 lut 22:32 /tmp/krb5scc_169
saper@poniatowski:~ % sqlite3 /tmp/krb5scc_169
SQLite version 3.21.0 2017-10-24 18:55:49
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE master (oid INTEGER PRIMARY KEY,version INTEGER NOT NULL,defaultcache TEXT NOT NULL);
CREATE TABLE caches (oid INTEGER PRIMARY KEY,principal TEXT,name TEXT NOT NULL);
CREATE TABLE credentials (oid INTEGER PRIMARY KEY,cid INTEGER NOT NULL,kvno INTEGER NOT NULL,etype INTEGER NOT NULL,created_at INTEGER NOT NULL,cred BLOB NOT NULL);
CREATE TABLE principals (oid INTEGER PRIMARY KEY,principal TEXT NOT NULL,type INTEGER NOT NULL,credential_id INTEGER NOT NULL);
CREATE TRIGGER CacheDropCreds AFTER DELETE ON caches FOR EACH ROW BEGIN DELETE FROM credentials WHERE cid=old.oid;END;
CREATE TRIGGER credDropPrincipal AFTER DELETE ON credentials FOR EACH ROW BEGIN DELETE FROM principals WHERE credential_id=old.oid;END;

but "klist" is not so smart:

% /usr/local/bin/klist
klist: krb5_cc_get_principal: No principal for cache SCC:/home/saper/krb5cc.sqlite:/tmp/krb5scc_169

but klist -A seems to somehow work:

% /usr/local/bin/klist -A
Credentials cache: SCC:unique-0x803849000
        Principal: [hidden email]

  Issued                Expires               Principal
Feb 22 22:32:57 2018  Feb 23 22:32:57 2018  krbtgt/[hidden email]

Some records seem to be written to /tmp/krb5cc_169 database, but
kdestroy does not seem to remove them, though (it exists silently).

I am looking for a possibility to store multiple tickets from many realms independently -
I've been using DIR ccache with MIT Kerberos quite successfully.

Is there any credential cache other than FILE working with Heimdal?

FreeBSD-specific note:

This is Heimdal 7.5.0 installed from ports, that's why /usr/local/bin/{kinit,kdestroy,list}
commands are used; FreeBSD base comes with Heimdal 1.5.2, but port tools are properly linked
with 7.5.0 libraries, so I don't think there's any hiccup here.

% ldd /usr/local/bin/kinit
/usr/local/bin/kinit:
        libkafs.so.0 => /usr/local/lib/heimdal/libkafs.so.0 (0x80082a000)
        libheimbase.so.1 => /usr/local/lib/heimdal/libheimbase.so.1 (0x800a34000)
        libhx509.so.5 => /usr/local/lib/heimdal/libhx509.so.5 (0x800c48000)
        libkrb5.so.26 => /usr/local/lib/heimdal/libkrb5.so.26 (0x800ea6000)
        libheimntlm.so.0 => /usr/local/lib/heimdal/libheimntlm.so.0 (0x80115e000)
        libwind.so.0 => /usr/local/lib/heimdal/libwind.so.0 (0x801369000)
        libhcrypto.so.4 => /usr/local/lib/heimdal/libhcrypto.so.4 (0x801592000)
        libasn1.so.8 => /usr/local/lib/heimdal/libasn1.so.8 (0x8017e2000)
        libcom_err.so.1 => /usr/local/lib/heimdal/libcom_err.so.1 (0x801ad4000)
        libroken.so.18 => /usr/local/lib/heimdal/libroken.so.18 (0x801cd9000)
        libsqlite3.so.0 => /usr/local/lib/libsqlite3.so.0 (0x801ef2000)
        libcrypto.so.8 => /lib/libcrypto.so.8 (0x802400000)
        libintl.so.8 => /usr/local/lib/libintl.so.8 (0x802869000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x802a73000)
        libthr.so.3 => /lib/libthr.so.3 (0x802c92000)
        libc.so.7 => /lib/libc.so.7 (0x802eba000)
        libm.so.5 => /lib/libm.so.5 (0x803272000)

Marcin

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Are non-FILE credential caches supported?

Quanah Gibson-Mount-2
--On Thursday, March 15, 2018 9:55 AM +0000 Marcin Cieslak
<[hidden email]> wrote:

> Hello,
>
> There is a bug report (https://github.com/heimdal/heimdal/issues/355)
> saying that using FILE: credential cache designator does not work.
> Interestingly enough, it works for me (FreeBSD 11.1, heimdal 7.5.0 from
> FreeBSD ports).

No, that's not what it says.  What's being discussed there is this setting:

"default_ccache_name"

which is what shows up in RHEL7's krb5.conf, because that's MIT's variable
for setting the cache.  When you're using Heimdal on a RHEL7 system, you
then get the problems I described.  As noted in the title of the bug
report, this is an MIT/Heimdal interop issue.

Generally, I'd suspect that Heimdal should treat default_ccache_name as
equivalent to default_cc_name.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Reply | Threaded
Open this post in threaded view
|

Re: Are non-FILE credential caches supported?

Greg Hudson
On 03/15/2018 11:15 AM, Quanah Gibson-Mount wrote:> No, that's not what
it says.  What's being discussed there is this setting:
>
> "default_ccache_name"
>
> which is what shows up in RHEL7's krb5.conf, because that's MIT's
> variable for setting the cache.  When you're using Heimdal on a RHEL7
> system, you then get the problems I described.  As noted in the title of
> the bug report, this is an MIT/Heimdal interop issue.

This looks like it was my botch.  I added "default_ccache_name" to MIT
krb5 in 1.11 (2012), and Heimdal added "default_cc_name" back in 2004.
Sorry about that.