From a183e279f754afdd571d8b084c7a36b71d5c1701 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 17 Dec 2014 09:10:33 +0100 Subject: [PATCH 2/2] krb5_child: Initialize REALM earlier Environment variable SSSD_KRB5_REALM was used to late for initialisation realm. and therefore default value NULL was used. The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache And therefore wrong principal was used when the option krb5_fast_principal is empty. [find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab. [match_principal] (0x1000): Principal matched to the sample ((null)@(null)). [get_tgt_times] (0x1000): FAST ccache must be recreated [get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed [get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found] [check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it [k5c_setup_fast] (0x0020): check_fast_ccache failed. [k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5] [privileged_krb5_setup] (0x0040): Cannot set up FAST [main] (0x0020): privileged_krb5_setup failed. [main] (0x0020): krb5_child failed! As a result of this user was not able to authenticate. Resolves: https://fedorahosted.org/sssd/ticket/2526 Reviewed-by: Sumit Bose --- src/providers/krb5/krb5_child.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 76a0757f6176d4ad9d049bc8825a64328b19a818..64fe6f0cb19e831ed4b49f627cb3b3a124272943 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -2159,12 +2159,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) DEBUG(SSSDBG_TRACE_INTERNAL, "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); - kr->realm = getenv(SSSD_KRB5_REALM); - if (kr->realm == NULL) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Cannot read [%s] from environment.\n", SSSD_KRB5_REALM); - } - /* Set the global error context */ krb5_error_ctx = kr->ctx; @@ -2254,6 +2248,12 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, int ret; char *mem_keytab; + kr->realm = getenv(SSSD_KRB5_REALM); + if (kr->realm == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot read [%s] from environment.\n", SSSD_KRB5_REALM); + } + kerr = krb5_init_context(&kr->ctx); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); -- 1.9.3