Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()

Bug #985031 reported by Mark Russell on 2012-04-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)

Bug Description

credential cache can get corrupted

[Test case]
use cached credentials, notice how the file can get corrupted over time

[Regression potential]
small, included upstream since 1.8.4

[Other info]

Known upstream bug, see:

Quoting from the upstream description:

"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."

In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default:

"krb5_canonicalize (boolean)
           Specifies if the host and user principal should be canonicalized. This
           feature is available with MIT Kerberos >= 1.7

           Default: false"

Mark Russell (marrusl) on 2012-04-18
description: updated
Mark Russell (marrusl) on 2012-04-18
description: updated
Timo Aaltonen (tjaalton) wrote :

the upstream patch can't be backported as is, since it caused

so that one needs to be fixed first

Changed in sssd (Ubuntu):
importance: Undecided → High
status: New → Triaged
Timo Aaltonen (tjaalton) wrote :

I've pulled the three commits for this, waiting in git.

Changed in sssd (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package sssd - 1.8.3-0ubuntu1

sssd (1.8.3-0ubuntu1) quantal; urgency=low

  * Merge from Debian git, remaining changes:
    - control, rules: Drop libsemanage-dev from build-depends, it's not
      in main. Configure --with-semanage=no.

sssd (1.8.3-1) UNRELEASED; urgency=low

  * New upstream bugfix release 1.8.2.
    - Several fixes to case-insensitive domain functions
    - Fix for GSSAPI binds when the keytab contains unrelated
    - Fixed several segfaults
    - Workarounds added for LDAP servers with unreadable RootDSE
    - SSH knownhostproxy will no longer enter an infinite loop
      preventing login
    - The provided SYSV init script now starts SSSD earlier at startup
      and stops it later during shutdown
    - Assorted minor fixes for issues discovered by static analysis
  * New upstream bugfix release 1.8.3.
    - Numerous manpage and translation updates
    - LDAP: Handle situations where the RootDSE isn't available anonymously
    - LDAP: Fix regression for users using non-standard LDAP attributes for
      user information
  * control: Move the dependency of libsasl2-modules-gssapi-mit to
  * control: sssd works with Heimdal gssapi modules too, add
    libsasl2-modules-gssapi-mit as an option for the Recommends.
    (LP: #966146)
  * libpam-sss.pam-auth-update:
    - Drop the dependency to 128, since pam_sss should always be below
      pam_unix. (LP: #957486)
    - Drop 'use_authtok' from the password stack, since it only works when
      pam_cracklib is installed. This will allow password changes on the
      default install.
  * sssd.postrm: Try to remove /etc/sssd only if it exists.
    (Closes: #666226)
  * Add disabled by default Apparmor profile (LP: #933342)
    - debian/ load the profile during pre-start
    - add debian/apparmor-profile, install to /etc/apparmor.d
    - debian/rules: use dh_apparmor to install profile before sssd is
    - debian/control: sssd Suggests apparmor (>= 2.3)
    - debian/control: Add dh-apparmor to build-depends
    - debian/sssd.preinst: disable profile on clean install or upgrades
      from earlier than when we shipped the profile
  * rules: Mangle the date stamp on pam_sss.8 so that the compressed file is
    identical across all archs. (Closes: #670019)
  * control: Add build-depends on libnl-dev to enable Netlink support.
  * control: Add build-depends on libkeyutil-dev to enable support for
    kernel keyring manipulation.
  * sssd.logrotate: Rotate logs weekly, keep four previous rotations.
    (Closes: #672984)
  * Pull patches from the stable branch to fix an issue that results in broken
    credential cache (LP: #985031)
    - patches/fix-upstream-1298.diff
      If canon'ing principals, write ccache with updated default principal
    - patches/fix-upstream-1297.diff
      Limit krb5_get_init_creds_keytab() to etypes in keytab
    - patches/fix-upstream-1330.diff
      KRB5: Avoid NULL-dereference with empty keytab
  * patches/fix-upstream-1343.diff
    - LDAP nested groups: Do not process callback with _post deep in the nested
      structure (LP: #981125)


Changed in sssd (Ubuntu):
status: Fix Committed → Fix Released
Timo Aaltonen (tjaalton) wrote :

keeping open for precise for a SRU

Changed in sssd (Ubuntu Precise):
importance: Undecided → High
status: New → Triaged
Timo Aaltonen (tjaalton) wrote :

Uploaded a new package for precise to

please test, it'll get SRU'd next.

Changed in sssd (Ubuntu Precise):
status: Triaged → Incomplete
Timo Aaltonen (tjaalton) on 2012-12-04
description: updated
Changed in sssd (Ubuntu Precise):
status: Incomplete → In Progress

Hello Mark, or anyone else affected,

Accepted sssd into precise-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at . Thank you in advance!

Changed in sssd (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Timo Aaltonen (tjaalton) on 2013-03-12
tags: added: verification-done
removed: verification-needed
Timo Aaltonen (tjaalton) wrote :

This bug was fixed in the package sssd - 1.8.6-0ubuntu0.2

sssd (1.8.6-0ubuntu0.2) precise-proposed; urgency=low

  * rules: Really install the new pam-auth-update file for password
    changes. (LP: #1086272)
  * rules: Pass --datadir, so the path in autogenerated python files is
    correctly substituted. (LP: #1079938)

Changed in sssd (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.