[krbdev.mit.edu #7851] Change in behaviour in the kernel keyring ccache
Sumit Bose via RT
rt-comment at krbdev.mit.edu
Fri Jan 24 08:55:02 EST 2014
Hi,
I came across the following while testing my S4U2Self patches. If I use kvno to
get ticket for multiple other users the FILE credential cache will store all
ticket while the KEYRING will only store the last S2U2Self ticket. But all the
cross realm TGT are kept as can be seen by the last call. Ordinary service
tickets are kept as well.
I haven't looked at the code but I guess the tickets are replaced because the
service principal is always the same and the client principal is not check.
bye,
Sumit
[root at vm-215 ~]# export KRB5CCNAME=FILE:/tmp/bla
[root at vm-215 ~]# kdestroy -A
[root at vm-215 ~]# klist -A
[root at vm-215 ~]# kinit -k 'VM-215$@DOM1.FOO'
[root at vm-215 ~]# kvno -U 'Administrator at DOM1.FOO' 'VM-215$@DOM1.FOO'
VM-215$@DOM1.FOO: kvno = 4
[root at vm-215 ~]# kvno -U 'Administrator at DOM2.BAR' 'VM-215$@DOM1.FOO'
VM-215$@DOM1.FOO: kvno = 4
[root at vm-215 ~]# kvno -U 'Administrator at SUBDOM.SUB' 'VM-215$@DOM1.FOO'
VM-215$@DOM1.FOO: kvno = 4
[root at vm-215 ~]# klist -A
Ticket cache: FILE:/tmp/bla
Default principal: VM-215$@DOM1.FOO
Valid starting Expires Service principal
23.01.2014 17:16:15 24.01.2014 03:16:15 krbtgt/DOM1.FOO at DOM1.FOO
renew until 30.01.2014 17:16:15
23.01.2014 17:16:23 24.01.2014 03:16:15 VM-215$@DOM1.FOO
for client Administrator\@DOM1.FOO at DOM1.FOO, renew until 30.01.2014 17:16:15
23.01.2014 17:16:26 24.01.2014 03:16:15 krbtgt/DOM2.BAR at DOM1.FOO
renew until 30.01.2014 17:16:15
23.01.2014 17:16:26 24.01.2014 03:16:15 VM-215$@DOM1.FOO
for client Administrator\@DOM2.BAR at DOM2.BAR, renew until 30.01.2014 17:16:15
23.01.2014 17:16:30 24.01.2014 03:16:15 krbtgt/DOM2.BAR at DOM1.FOO
renew until 30.01.2014 17:16:15
23.01.2014 17:16:29 24.01.2014 03:16:15 krbtgt/SUBDOM.SUB at DOM1.FOO
renew until 30.01.2014 17:16:15
23.01.2014 17:16:29 24.01.2014 03:16:15 krbtgt/SUBDOM.SUB at DOM2.BAR
renew until 30.01.2014 17:16:15
23.01.2014 17:16:30 24.01.2014 03:16:15 VM-215$@DOM1.FOO
for client Administrator\@SUBDOM.SUB at SUBDOM.SUB, renew until 30.01.2014 17:16:15
[root at vm-215 ~]# unset KRB5CCNAME
[root at vm-215 ~]# kdestroy -A
[root at vm-215 ~]# klist -A
[root at vm-215 ~]# kinit -k 'VM-215$@DOM1.FOO'
[root at vm-215 ~]# kvno -U 'Administrator at DOM1.FOO' 'VM-215$@DOM1.FOO'
VM-215$@DOM1.FOO: kvno = 4
[root at vm-215 ~]# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: VM-215$@DOM1.FOO
Valid starting Expires Service principal
23.01.2014 17:21:36 24.01.2014 03:21:31 VM-215$@DOM1.FOO
for client Administrator\@DOM1.FOO at DOM1.FOO, renew until 30.01.2014 17:21:31
23.01.2014 17:21:31 24.01.2014 03:21:31 krbtgt/DOM1.FOO at DOM1.FOO
renew until 30.01.2014 17:21:31
[root at vm-215 ~]# kvno -U 'Administrator at DOM2.BAR' 'VM-215$@DOM1.FOO'
VM-215$@DOM1.FOO: kvno = 4
[root at vm-215 ~]# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: VM-215$@DOM1.FOO
Valid starting Expires Service principal
23.01.2014 17:21:45 24.01.2014 03:21:31 krbtgt/DOM2.BAR at DOM1.FOO
renew until 30.01.2014 17:21:31
23.01.2014 17:21:45 24.01.2014 03:21:31 VM-215$@DOM1.FOO
for client Administrator\@DOM2.BAR at DOM2.BAR, renew until 30.01.2014 17:21:31
23.01.2014 17:21:31 24.01.2014 03:21:31 krbtgt/DOM1.FOO at DOM1.FOO
renew until 30.01.2014 17:21:31
[root at vm-215 ~]# kvno -U 'Administrator at SUBDOM.SUB' 'VM-215$@DOM1.FOO'
VM-215$@DOM1.FOO: kvno = 4
[root at vm-215 ~]# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: VM-215$@DOM1.FOO
Valid starting Expires Service principal
23.01.2014 17:21:55 24.01.2014 03:21:31 krbtgt/SUBDOM.SUB at DOM2.BAR
renew until 30.01.2014 17:21:31
23.01.2014 17:21:55 24.01.2014 03:21:31 krbtgt/SUBDOM.SUB at DOM1.FOO
renew until 30.01.2014 17:21:31
23.01.2014 17:21:57 24.01.2014 03:21:31 krbtgt/DOM2.BAR at DOM1.FOO
renew until 30.01.2014 17:21:31
23.01.2014 17:21:57 24.01.2014 03:21:31 VM-215$@DOM1.FOO
for client Administrator\@SUBDOM.SUB at SUBDOM.SUB, renew until 30.01.2014 17:21:31
23.01.2014 17:21:31 24.01.2014 03:21:31 krbtgt/DOM1.FOO at DOM1.FOO
renew until 30.01.2014 17:21:31
[root at vm-215 ~]# kvno -U 'Administrator at DOM1.FOO' 'VM-215$@DOM1.FOO'
VM-215$@DOM1.FOO: kvno = 4
[root at vm-215 ~]# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: VM-215$@DOM1.FOO
Valid starting Expires Service principal
23.01.2014 17:21:55 24.01.2014 03:21:31 krbtgt/SUBDOM.SUB at DOM2.BAR
renew until 30.01.2014 17:21:31
23.01.2014 17:21:55 24.01.2014 03:21:31 krbtgt/SUBDOM.SUB at DOM1.FOO
renew until 30.01.2014 17:21:31
23.01.2014 17:21:57 24.01.2014 03:21:31 krbtgt/DOM2.BAR at DOM1.FOO
renew until 30.01.2014 17:21:31
23.01.2014 17:23:11 24.01.2014 03:21:31 VM-215$@DOM1.FOO
for client Administrator\@DOM1.FOO at DOM1.FOO, renew until 30.01.2014 17:21:31
23.01.2014 17:21:31 24.01.2014 03:21:31 krbtgt/DOM1.FOO at DOM1.FOO
renew until 30.01.2014 17:21:31
More information about the krb5-bugs
mailing list