[Bug 844198] New: /run/user/0 is not available for Kerberos caches
https://bugzilla.novell.com/show_bug.cgi?id=844198 https://bugzilla.novell.com/show_bug.cgi?id=844198#c0 Summary: /run/user/0 is not available for Kerberos caches Classification: openSUSE Product: openSUSE Factory Version: 13.1 Beta 1 Platform: i686 OS/Version: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: lynn@steve-ss.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1632.0 Safari/537.36 SUSE/31.0.1632.0 Automounted kerberised cifs shares need a root cache available. The beta expects the cache to be at /run/users/0/ but this directory is only produced if root has logged in. Hence, cifs.upcall cannot find the cache as it cannot be produced becaue the directory is not present. Previous to 13.1, the cache was created at /tmp which is not a problem, since /tmp always exists. Reproducible: Always Steps to Reproduce: 1.cd to a directory which corresponds to an autofs kerberized cifs mount 2. 3. Actual Results: Cannot cd to xyz. The directory does not exist. Expected Results: The directory is mounted. The workaround is to use systemd tmpfiles or create the cache directory in /etc/init.d/boot.local -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=844198 https://bugzilla.novell.com/show_bug.cgi?id=844198#c1 --- Comment #1 from lynn wilson <lynn@steve-ss.com> 2013-10-07 08:23:27 UTC --- There is a discussion going on on the factory mailing list with various solutions/workarounds: http://lists.opensuse.org/opensuse-factory/2013-10/msg00099.html The MIT guys suggest reverting to the old behaviour: /etc/krb5.conf [libdefaults] default_ccache_name = /tmp/krb5cc_%{uid} Is this the intended solution for 13.1? Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=844198 https://bugzilla.novell.com/show_bug.cgi?id=844198#c Ye Yuan <yyuan@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |yyuan@suse.com AssignedTo|bnc-team-screening@forge.pr |mc@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=844198 https://bugzilla.novell.com/show_bug.cgi?id=844198#c2 --- Comment #2 from lynn wilson <lynn@steve-ss.com> 2013-10-17 08:09:18 UTC --- The problem remains with 13.1 rc1, but the workaround is still good. There is also a thread on the MIT list concerning this bug: http://mailman.mit.edu/pipermail/kerberos/2013-October/019242.html Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=844198 https://bugzilla.novell.com/show_bug.cgi?id=844198#c4 Hardy Heroin <hardy.heroin+novell@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hardy.heroin+novell@gmail.c | |om --- Comment #4 from Hardy Heroin <hardy.heroin+novell@gmail.com> 2013-12-09 14:30:25 UTC --- Workaround (adding to [libdefaults] in /etc/krb5.conf) default_ccache_name = /tmp/krb5cc_%{uid} works for openSUSE 13.1, but also requires updating of /etc/sssd/sssd.conf to include under [domain/LDAP]: krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U This also applies to kerberized NFS4 shares btw, when configured in combination with SSSD, LDAP and Autofs for instance. Also in that context I have seen the error also appear for /run/users/<LDAP-uid>/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=844198 Joschi Brauchle <joschibrauchle@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joschibrauchle@gmx.de --- Comment #8 from Joschi Brauchle <joschibrauchle@gmx.de> --- I would like to object reverting to the old behavior of putting credential caches into /tmp/! By now, Fedora has moved completely to putting all credentials in /var/run/user/$UID, see https://fedoraproject.org/wiki/Features/KRB5CacheMove https://fedoraproject.org/wiki/Features/KRB5DirCache Currently, in openSUSE 13.1 and 13.2 there is problem that 1) the KRB package is compiled with default ccache in /var/run/user while 2) the SSSD package is compiled with default ccache in /tmp/. This causes the problem that logged in users have their caches in /tmp/ (due to SSSD) while the Kerberos libraries look for the caches in /var/run/user/$UID, if the KRB5CCNAME variable is missing. (see BOO#899118) I pledge for openSUSE to also move to /var/run/user/$UID as default credential cache for all services, as this seems the common way to go. Hence, please fix cifs.upcall (or whatever process is responsible here to acquire the credentials) to create and use a directory in /var/run/... instead of reverting back to /tmp. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=844198 --- Comment #9 from Joschi Brauchle <joschibrauchle@gmx.de> --- (In reply to Joschi Brauchle from comment #8)
I pledge for openSUSE to also move to /var/run/user/$UID as default credential cache for all services, as this seems the common way to go.
Correction: It looks like DIR type ccaches are already a thing of the past and SSSD=1.12 & KRB=1.12 and have moved to storing ccaches in the kernel keyring. This can be achieved in openSUSE 13.2 like to: ------- /etc/krb5.conf -------- [libdefaults] default_ccache_name = KEYRING:persistent:%{uid} ------- /etc/krb5.conf -------- ------- /etc/sssd/sssd.conf -------- [domain/default] krb5_ccname_template = KEYRING:persistent:%U ------- /etc/sssd/sssd.conf -------- This should fix the problem if directories not existing permanently, as the kernel keyring is always available. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=844198 Lokesh Babu <lokesh.k@microfocus.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugzilla.novell.com/ | |show_bug.cgi?id=1030249 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com