[opensuse-factory] ERROR: /run/user/0/ does not exist
Hi 13.1 beta 1 When trying to get Kerberos tickets, the directory does not exist e.g. as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache If I now create the directory: /run/user/0 and now kinit, it works fine and I get a ticket. This is different behavior from 12.3, where the ticket cache was stored in /tmp Can I: 1. Get back to the 12.3 behaviour? 2. Adjust something to create the /run/user/0 directory if root attempts a kinit? Thanks, Lynn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10/05/2013 04:38 PM, lynn wrote:
Hi 13.1 beta 1
When trying to get Kerberos tickets, the directory does not exist e.g.
as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
If I now create the directory: /run/user/0
/run/user/$UID is created by systemd when a user logs on via systemd. so if you use su or sudo it won't be created. therefor this is a bug in kinit. -- Sebastian -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 2013-10-05 at 17:37 +0200, Sebastian wrote:
On 10/05/2013 04:38 PM, lynn wrote:
Hi 13.1 beta 1
When trying to get Kerberos tickets, the directory does not exist e.g.
as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
If I now create the directory: /run/user/0
/run/user/$UID is created by systemd when a user logs on via systemd. so if you use su or sudo it won't be created. therefor this is a bug in kinit.
--
Hi The problem is that this works fine in 12.3, where the cache is produced in /tmp during the mounting of Kerberised cifs shares. As root is never going to be logged in when we need to mount the shares, how can we work around this issue which has become apparent in 13.1 beta? IOW, /tmp is _always_ available whereas /run/user/0 isn't. Thanks, L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Sat, 05 Oct 2013 18:52:26 +0200 lynn <lynn@steve-ss.com> пишет:
On Sat, 2013-10-05 at 17:37 +0200, Sebastian wrote:
On 10/05/2013 04:38 PM, lynn wrote:
Hi 13.1 beta 1
When trying to get Kerberos tickets, the directory does not exist e.g.
as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
Please explain at which case you are doing it without being logged in.
If I now create the directory: /run/user/0
/run/user/$UID is created by systemd when a user logs on via systemd. so if you use su or sudo it won't be created. therefor this is a bug in kinit.
--
Hi The problem is that this works fine in 12.3, where the cache is produced in /tmp during the mounting of Kerberised cifs shares. As root is never going to be logged in when we need to mount the shares,
Well, that's rather exaggerated. Please explain what you are doing in the whole. Otherwise you get the same result as in story about elephant and blind men ...
how can we work around this issue which has become apparent in 13.1 beta?
This depends on what you are doing. As example, you can use "kinit -c /path/to/cccache".
IOW, /tmp is _always_ available whereas /run/user/0 isn't.
Not necessarily. /tmp may also be pre-service private directory. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, 2013-10-06 at 10:15 +0400, Andrey Borzenkov wrote:
В Sat, 05 Oct 2013 18:52:26 +0200 lynn <lynn@steve-ss.com> пишет:
On Sat, 2013-10-05 at 17:37 +0200, Sebastian wrote:
On 10/05/2013 04:38 PM, lynn wrote:
Hi 13.1 beta 1
When trying to get Kerberos tickets, the directory does not exist e.g.
as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
Please explain at which case you are doing it without being logged in.
If I now create the directory: /run/user/0
/run/user/$UID is created by systemd when a user logs on via systemd. so if you use su or sudo it won't be created. therefor this is a bug in kinit.
--
Hi The problem is that this works fine in 12.3, where the cache is produced in /tmp during the mounting of Kerberised cifs shares. As root is never going to be logged in when we need to mount the shares,
Well, that's rather exaggerated. Please explain what you are doing in the whole. Otherwise you get the same result as in story about elephant and blind men ...
how can we work around this issue which has become apparent in 13.1 beta?
This depends on what you are doing. As example, you can use "kinit -c /path/to/cccache".
IOW, /tmp is _always_ available whereas /run/user/0 isn't.
Not necessarily. /tmp may also be pre-service private directory.
Hi The users are windows domain users who need their home directories and the other shares automounted from the file server via kerberised cifs using sssd. The kerberos cache must be available for the mount to succeed, otherwise cifs.upcall fails with 'unable to initialise cache'. systemd creates the /run/user/$UID directory upon login, so it will not be present on a client machine as root will not have logged in; we need that directory to be present _before_ the user hits the file server. I gave kinit as an example because I didn't think anyone would understand the use case, so thanks for asking. It seems a real pain to have to use systemd-tmpfiles now in 13.1, when /tmp has served perfectly well to store the root cache in al previous openSUSE versions. My workaround for the moment is to put the following in /etc/init.d/boot.local: mkdir /run/user/0 && chmod 0700 /run/user/0 I'm sure that there is something simple I've overlooked. Thanks for your interest. L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Sun, 06 Oct 2013 08:40:18 +0200 lynn <lynn@steve-ss.com> пишет:
Hi The users are windows domain users who need their home directories and the other shares automounted from the file server via kerberised cifs using sssd. The kerberos cache must be available for the mount to succeed, otherwise cifs.upcall fails with 'unable to initialise cache'.
systemd creates the /run/user/$UID directory upon login, so it will not be present on a client machine as root will not have logged in; we need that directory to be present _before_ the user hits the file server.
I gave kinit as an example because I didn't think anyone would understand the use case, so thanks for asking.
It seems a real pain to have to use systemd-tmpfiles now in 13.1, when /tmp has served perfectly well to store the root cache in al previous openSUSE versions.
My workaround for the moment is to put the following in /etc/init.d/boot.local: mkdir /run/user/0 && chmod 0700 /run/user/0
Does setting default_ccache_name to old default in krb5.conf work? It is more simple and note that /run/user/$UID is removed when all user sessions are closed.
I'm sure that there is something simple I've overlooked. Thanks for your interest. L x
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, 2013-10-06 at 19:02 +0400, Andrey Borzenkov wrote:
В Sun, 06 Oct 2013 08:40:18 +0200 lynn <lynn@steve-ss.com> пишет:
Hi The users are windows domain users who need their home directories and the other shares automounted from the file server via kerberised cifs using sssd. The kerberos cache must be available for the mount to succeed, otherwise cifs.upcall fails with 'unable to initialise cache'.
systemd creates the /run/user/$UID directory upon login, so it will not be present on a client machine as root will not have logged in; we need that directory to be present _before_ the user hits the file server.
I gave kinit as an example because I didn't think anyone would understand the use case, so thanks for asking.
It seems a real pain to have to use systemd-tmpfiles now in 13.1, when /tmp has served perfectly well to store the root cache in al previous openSUSE versions.
My workaround for the moment is to put the following in /etc/init.d/boot.local: mkdir /run/user/0 && chmod 0700 /run/user/0
Does setting default_ccache_name to old default in krb5.conf work? It is more simple and note that /run/user/$UID is removed when all user sessions are closed.
Hi The manpage doesn't list an option for default_ccache_name, at least not in the 13.1 version.
I'm sure that there is something simple I've overlooked. Thanks for your interest. L x
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 2013-10-07 at 09:21 +0200, lynn wrote:
On Sun, 2013-10-06 at 19:02 +0400, Andrey Borzenkov wrote:
Hi The manpage doesn't list an option for default_ccache_name, at least not in the 13.1 version.
Hi OK. I had an old build of factory. I now have krb5 1.13 from a zypper dup and indeed: [libdefaults] default_ccache_name = /tmp/krb5cc_%{uid} Solves the problem. The cache is now produced as in the good old days under /tmp. I'd still like the openSUSE devs to know about this though. Do you think it would be OK if I posted this in the bugzilla? I wonder if this is the intended solution to the issue? Maybe 13.1 thinks that destroying the /run/user/$UID on shutdown is more secure? But I think that for Kerberos, that's not an issue as even if the cache remains in /tmp for ever, it's only of any use for the 10 hours-ish immediately after its creation. Thanks. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 07 October 2013 10.02:52 lynn wrote:
On Mon, 2013-10-07 at 09:21 +0200, lynn wrote:
On Sun, 2013-10-06 at 19:02 +0400, Andrey Borzenkov wrote:
Hi The manpage doesn't list an option for default_ccache_name, at least not in the 13.1 version.
Hi OK. I had an old build of factory. I now have krb5 1.13 from a zypper dup and indeed:
[libdefaults] default_ccache_name = /tmp/krb5cc_%{uid}
Solves the problem. The cache is now produced as in the good old days under /tmp.
I'd still like the openSUSE devs to know about this though. Do you think it would be OK if I posted this in the bugzilla? I wonder if this is the intended solution to the issue?
Maybe 13.1 thinks that destroying the /run/user/$UID on shutdown is more secure? But I think that for Kerberos, that's not an issue as even if the cache remains in /tmp for ever, it's only of any use for the 10 hours-ish immediately after its creation.
Thanks.
Any informations you find, like those one are important to store in the bugzilla. You should also check what's happen if suddenly systemctl cleaning /tmp start Does the cache are still there. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 07/10/13 05:02, lynn escribió:
On Mon, 2013-10-07 at 09:21 +0200, lynn wrote:
On Sun, 2013-10-06 at 19:02 +0400, Andrey Borzenkov wrote:
Hi The manpage doesn't list an option for default_ccache_name, at least not in the 13.1 version.
Hi OK. I had an old build of factory. I now have krb5 1.13 from a zypper dup and indeed:
[libdefaults] default_ccache_name = /tmp/krb5cc_%{uid}
Solves the problem. The cache is now produced as in the good old days under /tmp.
I am not convinced that using /tmp is correct... probably we need to modify the default to /run/krb5/$something and allow that directory only to be written and/or read by root... using named files in /tmp for this purpose looks like a security hole from here.
I'd still like the openSUSE devs to know about this though. Do you think it would be OK if I posted this in the bugzilla?
Yes. -- "If debugging is the process of removing bugs, then programming must be the process of putting them in." - Edsger Dijkstra -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Mon, 07 Oct 2013 21:50:49 -0300 Cristian Rodríguez <crrodriguez@opensuse.org> пишет:
I am not convinced that using /tmp is correct... probably we need to modify the default to /run/krb5/$something and allow that directory only to be written and/or read by root...
Credentials cache must be accessible by user whom it belongs.
using named files in /tmp for this purpose looks like a security hole from here.
cifs.upcall actually relies on it being in /tmp because it has to search for it (there is no interface to pass location between kernel and upcall). But in case of systemd using /tmp is in generally wrong (/tmp can be private) and using /run/user/$UID is wrong as well because it does not survive session end. So we need some per-user persistent directory that exists at least as long as system is running.
I'd still like the openSUSE devs to know about this though. Do you think it would be OK if I posted this in the bugzilla?
Yes.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 2013-10-07 at 21:50 -0300, Cristian Rodríguez wrote:
El 07/10/13 05:02, lynn escribió:
[libdefaults] default_ccache_name = /tmp/krb5cc_%{uid}
Solves the problem. The cache is now produced as in the good old days under /tmp.
I am not convinced that using /tmp is correct... probably we need to modify the default to /run/krb5/$something and allow that directory only to be written and/or read by root...
Hi The MIT devs have it in /tmp (now and upstream) with no plan to change. If only root is to be given access to $something, then how and where do other users store their own caches? Please do not set the default to a directory to which only root has access. This would make matters far worse. Thanks, L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 2013-10-05 at 17:37 +0200, Sebastian wrote:
On 10/05/2013 04:38 PM, lynn wrote:
Hi 13.1 beta 1
When trying to get Kerberos tickets, the directory does not exist e.g.
as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
If I now create the directory: /run/user/0
/run/user/$UID is created by systemd when a user logs on via systemd. so if you use su or sudo it won't be created. therefor this is a bug in kinit.
-- Sebastian
Hi Thanks for the reply. As this works perfectly when the cache is produced in /tmp (as in 12.3 and all other previous versions), I it this must be something that has changed in 13.1 beta. Sure, I can work around it, but it's going to be a pain in a big domain if this is still be the case with the release. L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sunday 06 October 2013 13.59:10 lynn wrote:
On Sat, 2013-10-05 at 17:37 +0200, Sebastian wrote:
On 10/05/2013 04:38 PM, lynn wrote:
Hi 13.1 beta 1
When trying to get Kerberos tickets, the directory does not exist e.g.
as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
If I now create the directory: /run/user/0
/run/user/$UID is created by systemd when a user logs on via systemd. so if you use su or sudo it won't be created. therefor this is a bug in kinit.
Hi Thanks for the reply. As this works perfectly when the cache is produced in /tmp (as in 12.3 and all other previous versions), I it this must be something that has changed in 13.1 beta. Sure, I can work around it, but it's going to be a pain in a big domain if this is still be the case with the release. L x
Lynn really open a bug at bugzilla.novell.com about this. So it will be tracked and a correct resolution as to be found. I would said the main component affected is sssd and the way it call kinit (you can ping back the bnc number here) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, 2013-10-06 at 16:09 +0200, Bruno Friedmann wrote:
On Sunday 06 October 2013 13.59:10 lynn wrote:
On Sat, 2013-10-05 at 17:37 +0200, Sebastian wrote:
On 10/05/2013 04:38 PM, lynn wrote:
Hi 13.1 beta 1
When trying to get Kerberos tickets, the directory does not exist e.g.
as root: kinit Administrator kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
If I now create the directory: /run/user/0
/run/user/$UID is created by systemd when a user logs on via systemd. so if you use su or sudo it won't be created. therefor this is a bug in kinit.
Hi Thanks for the reply. As this works perfectly when the cache is produced in /tmp (as in 12.3 and all other previous versions), I it this must be something that has changed in 13.1 beta. Sure, I can work around it, but it's going to be a pain in a big domain if this is still be the case with the release. L x
Lynn really open a bug at bugzilla.novell.com about this. So it will be tracked and a correct resolution as to be found.
I would said the main component affected is sssd and the way it call kinit
(you can ping back the bnc number here)
https://bugzilla.novell.com/show_bug.cgi?id=844198 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Andrey Borzenkov
-
Bruno Friedmann
-
Cristian Rodríguez
-
lynn
-
Sebastian