abbra
2017-03-22 13:45:35 UTC
URL: https://github.com/freeipa/freeipa/pull/638
Author: abbra
Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches
Action: opened
PR body:
"""
MIT Kerberos allows to store configuration entries in the ccache.
Unfortunately, there are big differences between ccache types in how
these entries behave:
- MIT Kerberos FILE: ccache code does always append entries, so we end
up with ever growing ccache files. In KEYRING: case we are lucky that
add_key syscall actually updates the key with the same name.
- MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove
cred from ccache. Corresponding functions simply return
KRB5_CC_NOSUPP;
As result, using FILE: ccache type does not allow us to override our
session cookie stored as a config entry in the ccache. Successive runs
of ipa CLI create new entries in the ccache and only return the original
one.
Once we put a cookie in the FILE: ccache, it cannot be removed from
there and cannot be replaced. Also, as retrieval code in
krb5_cc_get_conf() ends up calling krb5_cc_retrieve_cred() with 0 flags
and only has a cred principal name constructed out of a our conf key
(X-IPA-Session_Cookie), none of the matching logic for "most recent
ticket" could be applied.
This commit attempts to improve situation for KEYRING: ccache type by
setting the cookie to a predefined 'empty' value when deleting config
entry. This avoids non-working 'remove cred' code path in ccache
processing in MIT Kerberos.
Additionally, when server side denies our cookie, it sends us empty
Negotiate value. We errorneously treat it as invalid token.
We also must use proper method to initialize our connection,
SSLTransport.make_connection knows nothing about setting up GSSAPI
client context, KrbTransport does. Unfortunately, with non-removable
session cookie the code to initialize session context never triggered
properly after expire.
Fixes https://pagure.io/freeipa/issue/6775
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/638/head:pr638
git checkout pr638
Author: abbra
Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches
Action: opened
PR body:
"""
MIT Kerberos allows to store configuration entries in the ccache.
Unfortunately, there are big differences between ccache types in how
these entries behave:
- MIT Kerberos FILE: ccache code does always append entries, so we end
up with ever growing ccache files. In KEYRING: case we are lucky that
add_key syscall actually updates the key with the same name.
- MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove
cred from ccache. Corresponding functions simply return
KRB5_CC_NOSUPP;
As result, using FILE: ccache type does not allow us to override our
session cookie stored as a config entry in the ccache. Successive runs
of ipa CLI create new entries in the ccache and only return the original
one.
Once we put a cookie in the FILE: ccache, it cannot be removed from
there and cannot be replaced. Also, as retrieval code in
krb5_cc_get_conf() ends up calling krb5_cc_retrieve_cred() with 0 flags
and only has a cred principal name constructed out of a our conf key
(X-IPA-Session_Cookie), none of the matching logic for "most recent
ticket" could be applied.
This commit attempts to improve situation for KEYRING: ccache type by
setting the cookie to a predefined 'empty' value when deleting config
entry. This avoids non-working 'remove cred' code path in ccache
processing in MIT Kerberos.
Additionally, when server side denies our cookie, it sends us empty
Negotiate value. We errorneously treat it as invalid token.
We also must use proper method to initialize our connection,
SSLTransport.make_connection knows nothing about setting up GSSAPI
client context, KrbTransport does. Unfortunately, with non-removable
session cookie the code to initialize session context never triggered
properly after expire.
Fixes https://pagure.io/freeipa/issue/6775
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/638/head:pr638
git checkout pr638