[Pkg-sssd-devel] Bug#977375: sssd(-krb5): All Kerberos credential cache collections unusable

Oliver Freyermuth freyermuth at physik.uni-bonn.de
Mon Dec 14 13:35:48 GMT 2020 

Package: sssd-krb5
Version: 1.16.3-3.2
Severity: important

Dear maintainers,

all Kerberos credential cache collections are unusable with sssd and the Debian kernel in Buster.

Details:

1) KEYRING:persistent fails to work since CONFIG_PERSISTENT_KEYRINGS is not set in the Kernel.
    Effectively, this yields a flaky (sometimes working, sometimes not) setup at runtime,
    since Kerberos falls back to the user keyring, and sssd-krb5's krb5_child and the
    kernel keyring garbage collector race.
    This is likely also one of the causes of #861222 (affects Jessie, in CC).
    Since the kernel option has been set to "yes" as of 5.5.17-1, I'm also CCing debian-kernel ML.

2) DIR:dirname fails since the directory is created by sssd-krb5 with broken permissions 0600.
    This has already been reported upstream in [0] by another user, but upstream recommended to use KEYRING:persistent
    instead, since DIR:dirname is not well tested.

3) KCM: fails with many or large tickets, as outlined in an upstream bug[1] only fixed in very recent sssd versions
    (>= 2.3) by a series of large patches.

I can open separate bugs on (1), (2) and (3) if wanted, but I imagine starting with an overview (since all collections are broken)
is a better starting point (and fixing a single one definitely lower severity).

On a side-note, cache collections are needed in case tickets for multiple realms are to be stored,
i.e. this issue affects any users working in multiple realms (and relying on SSSD).
Non-SSSD consumers can work around the issue by using (2).

-- System Information
Debian Release: 10.7
Kernel: 4.19.0-13
Architecture: amd64 (x86_64)


[0] https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/3FH5A2M64KKVTPRUCWV4LLGWEYTV7CL5/
[1] https://github.com/SSSD/sssd/issues/4413

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5432 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20201214/be9b6da5/attachment-0001.bin>

More information about the Pkg-sssd-devel mailing list