kerberos ccache filename is replaced on every concurrent login with the same user

[kaushikub]

Config file used:

[sssd]
domains = LDAP-KRB5
services = nss, pam
 
[domain/LDAP-KRB5]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = $SERVER
krb5_realm = EXAMPLE.COM

A simple reproducer can be:

expect -f - <<<'
    spawn ssh -o StrictHostKeyChecking=no puser1@localhost
    expect "password: "
    send -- "$pass\r"
    expect "$ "
    sleep 1
    send -- "klist\r"
    expect "$ "
    sleep 15
    send -- "exit\r"
' &

sleep 5

expect -f - <<<'
    spawn ssh -o StrictHostKeyChecking=no puser1@localhost
    expect "password: "
    send -- "$pass\r"
    expect "$ "
    sleep 1
    send -- "klist\r"
    expect "$ "
    sleep 10
    send -- "exit\r"
' &

sleep 5

expect -f - <<<'
    spawn ssh -o StrictHostKeyChecking=no puser1@localhost
    expect "password: "
    send -- "$pass\r"
    expect "$ "
    sleep 1
    send -- "klist\r"
    expect "$ "
    send -- "exit\r"
'

Check the klist output starting with "Ticket cache: FILE:". This changes every time.

[sumit-bose]

Hi,

the reason for this issue is most probably related to 4cb99a2 where krb5_child is kept alive between SSS_PAM_PREAUTH and SSS_PAM_AUTHENTICATE.

As @alexey-tikhonov discovered, k5c_ccache_setup() is not called during the SSS_PAM_PREAUTH setup and since there is no new setup for SSS_PAM_AUTHENTICATE the check if the ccache file with a random component should be recreated or not is never run.

HTH

bye,
Sumit