[Freeipa-devel] Issues with session caching in Kerberos ccaches

Wed Mar 22 13:47:17 UTC 2017

Hi,

we have a number of issues with session caching in Kerberos ccaches:

 - MIT Kerberos FILE: ccache code does always append entries, so we end
   up with ever growing ccache files. In KEYRING: case we are lucky that
   add_key syscall actually updates the key with the same name.

 - MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove
   cred from ccache. Corresponding functions simply return
   KRB5_CC_NOSUPP;

As result, using FILE: ccache type does not allow us to override our
session cookie stored as a config entry in the ccache. Successive runs
of ipa CLI create new entries in the ccache:

# strings /tmp/root.cc|grep -A3 krb5_ccache_conf_data
krb5_ccache_conf_data
fast_avail
krbtgt/XS.IPA.COOL at XS.IPA.COOL
XS.IPA.COOL
--
krb5_ccache_conf_data
pa_type
krbtgt/XS.IPA.COOL at XS.IPA.COOL
XS.IPA.COOL
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
admin at XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188185818841; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:09:45 GMT; Secure; HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
admin at XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188233395149; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:10:33 GMT; Secure; HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
admin at XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188672108356; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:17:52 GMT; Secure; HttpOnly

The output above is after three successive runs.

Once we put cookie in the FILE: ccache, it cannot be removed from there
and cannot be replaced. Also, as retrieval code in krb5_cc_get_conf()
ends up calling krb5_cc_retrieve_cred() with 0 flags and only has a cred
principal name constructed out of a our conf key (X-IPA-Session_Cookie),
none of the matching logic for "most recent ticket" could be applied.

I have a workaround as https://github.com/freeipa/freeipa/pull/638 that
allows to recover in a case we are using KEYRING: ccache type and server
denies to accept our cookie -- happens within about 10-15 minutes after
last time cookie was used -- but I have no solution for FILE: ccaches.

-- 
/ Alexander Bokovoy