Bug 9994 - Local user's krb5cc deleted by pam_winbind
Summary: Local user's krb5cc deleted by pam_winbind
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
: 9108 (view as bug list)
Depends on:
Reported: 2013-07-03 19:42 UTC by David Woodhouse
Modified: 2013-08-14 08:53 UTC (History)
3 users (show)

See Also:

v4-0-test and v4-1-test patch (1.43 KB, patch)
2013-07-15 13:59 UTC, Andreas Schneider
gd: review+

Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2013-07-03 19:42:25 UTC
If I run 'sudo' and enter my password correctly, pam_winbind gets me a shiny new Kerberos TGT with a completely fresh 10-day renewable lifetime. Yay!.

If I run 'sudo' and get my password *wrong*, pam_winbind deletes my existing, valid, credentials cache. Bad winbind. No biscuit.

[dwoodhou@i7 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_504
Default principal: dwoodhou@GER.CORP.INTEL.COM

Valid starting     Expires            Service principal
03/07/13 20:27:59  04/07/13 06:27:59  krbtgt/GER.CORP.INTEL.COM@GER.CORP.INTEL.COM
	renew until 02/08/13 20:27:59
03/07/13 20:27:59  04/07/13 06:27:59  DWOODHOU-LINUX$@GER.CORP.INTEL.COM
	renew until 02/08/13 20:27:59
[dwoodhou@i7 ~]$ sudo whoami
[sudo] password for dwoodhou: 
Sorry, try again.
[sudo] password for dwoodhou: 
Sorry, try again.
[sudo] password for dwoodhou: 
Sorry, try again.
sudo: 3 incorrect password attempts
[dwoodhou@i7 ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_504)

This is particularly problematic for me since the user I usually run as is not the 'dwoodhou' user that matches my domain username. I don't think winbind can do any kind of automatic mapping, so I log in with pam_unix and then use 'wbinfo -K dwoodhou' to prime the ntlm_auth helper and obtain my TGT (although for some reason I think it doesn't get *renewed* automatically when I do it that way? 

The result is that when I fudge my password during 'sudo' or presumably any other PAM run, pam_winbind gets to wipe my creds cache and even when I get my password *right* on a second attempt, it doesn't get recreated.
Comment 1 David Woodhouse 2013-07-03 19:42:40 UTC
Breakpoint 1, unlink () at ../sysdeps/unix/syscall-template.S:81
Missing separate debuginfos, use: debuginfo-install sssd-client-1.10.0-12.fc19.beta2.x86_64
(gdb) up
#1  0x0000003d5fc35129 in krb5_fcc_destroy (context=0x1d55fe0, id=0x1d5f110)
    at cc_file.c:1606
1606	    ret = unlink(data->filename);
(gdb) p data->filename
$1 = 0x1d51f80 "/tmp/krb5cc_1000"
(gdb) bt
#0  unlink () at ../sysdeps/unix/syscall-template.S:81
#1  0x0000003d5fc35129 in krb5_fcc_destroy (context=0x1d55fe0, id=0x1d5f110)
    at cc_file.c:1606
#2  0x0000003d9040855a in ads_kdestroy (
    cc_name=cc_name@entry=0x1d55a30 "FILE:/tmp/krb5cc_1000")
    at ../source3/libads/kerberos.c:320
#3  0x000000000043a4a9 in winbindd_raw_kerberos_login (
    krb5ccname=0x7fff06f58418 "", info3=0x7fff06f570d0, uid=1000, 
    krb5_cc_type=0x7fff06f580d8 "FILE", pass=0x7fff06f57bd8 "asd", 
    user=0x7fff06f57ad8 "GER\\dwmw2", domain=0x1d46d50, mem_ctx=0x1d4cd70)
    at ../source3/winbindd/winbindd_pam.c:686
#4  winbindd_dual_pam_auth_kerberos (domain=0x1d46d50, info3=0x7fff06f570d0, 
    state=0x7fff06f57950) at ../source3/winbindd/winbindd_pam.c:1113
#5  winbindd_dual_pam_auth (domain=0x1d46d50, state=0x7fff06f57950)
    at ../source3/winbindd/winbindd_pam.c:1627
#6  0x0000000000450257 in child_process_request (child=0x1d44940, 
    child=0x1d44940, state=0x7fff06f57950)
    at ../source3/winbindd/winbindd_dual.c:441
#7  fork_domain_child (child=0x1d44940)
    at ../source3/winbindd/winbindd_dual.c:1554
#8  0x0000000000450cc5 in wb_child_request_trigger (req=0x1d45f30, 
    private_data=<optimized out>) at ../source3/winbindd/winbindd_dual.c:146
#9  0x0000003d83e043f4 in tevent_common_loop_immediate ()
---Type <return> to continue, or q <return> to quit---
   from /lib64/libtevent.so.0
#10 0x0000003d8a24360c in run_events_poll (ev=0x1d3edb0, pollrtn=0, pfds=0x0, 
    num_pfds=0) at ../source3/lib/events.c:192
#11 0x0000003d8a2438f4 in s3_event_loop_once (ev=0x1d3edb0, 
    location=<optimized out>) at ../source3/lib/events.c:303
#12 0x0000003d83e03bcd in _tevent_loop_once () from /lib64/libtevent.so.0
#13 0x000000000042008a in main (argc=<optimized out>, argv=<optimized out>, 
    envp=<optimized out>) at ../source3/winbindd/winbindd.c:1525
Comment 2 David Woodhouse 2013-07-05 22:19:26 UTC
Also filed as https://bugzilla.redhat.com/show_bug.cgi?id=981033 where I have added a trivial straw-man patch.
Comment 3 Andreas Schneider 2013-07-15 13:59:26 UTC
Created attachment 9047 [details]
v4-0-test and v4-1-test patch
Comment 4 Guenther Deschner 2013-07-17 15:19:27 UTC
Comment on attachment 9047 [details]
v4-0-test and v4-1-test patch

looks good.
Comment 5 Andreas Schneider 2013-07-17 15:20:09 UTC
Karolin, could you please add it to 4.0 and 4.1? Thanks!
Comment 6 Karolin Seeger 2013-07-18 17:57:21 UTC
Pushed to autobuild-v4-1-test and autobuild-v4-0-test.
Comment 7 Karolin Seeger 2013-07-24 18:29:28 UTC
Pushed to v4-0-test and v4-1-test.
Closing out bug report.

Comment 8 Andreas Schneider 2013-08-12 12:26:30 UTC
Karolin, could you please add the patch to 3.6 too? It cleanly applies. Thanks!
Comment 9 Andreas Schneider 2013-08-12 12:27:00 UTC
*** Bug 9108 has been marked as a duplicate of this bug. ***
Comment 10 Karolin Seeger 2013-08-14 08:53:16 UTC
Pushed to v3-6-test, will be included in Samba 3.6.19.
Closing out bug report.