[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

abbra freeipa-github-notification at redhat.com
Fri Mar 24 07:40:37 UTC 2017 

  URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes

abbra commented:
"""
I tested the whole patchset. It worked for me first time I've got cookie expired. However, it broke in ~10 minutes afterwards -- apparently, keyring ccache was empty, according to `klist`. After few more minutes I was able to list TGT from the same ccache and `ipa` CLI worked again.

I suspect we created something that MIT Kerberos library does not really understand.

```text
[10609] 1490339971.189122: Storing config in KEYRING:persistent:0:krb_ccache_uA6VDOR for admin at XS.IPA.COOL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=NtVuqNjq7jKtuDiw9lDSxHI%2frs5vd4UZ9o1sSZjDAemTImufljlG66i3l6MgA%2fmxtC0kPQgUqUEVcFJ04GWKOzK%2bYeTTEeAXrs59sNUq4VZzmRDTbLW%2by9ccodzlUdoeIiDVKdJsGHlBKyKTtcm1UW0a0LY%2bQLJscOQImQOlNpJ%2bxFs3szGU5w1rFbjQPwp6\x00
[10609] 1490339971.189156: Storing admin at XS.IPA.COOL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/admin\@XS.IPA.COOL at X-CACHECONF: in KEYRING:persistent:0:krb_ccache_uA6VDOR
```
... some time later, in a different execution of ipa user-show ...

```text
ipa: DEBUG: New HTTP connection (nyx.xs.ipa.cool)
ipa: DEBUG: HTTP connection destroyed (nyx.xs.ipa.cool)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 676, in single_request
    self.get_auth_info()
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 628, in get_auth_info
    self._handle_exception(e, service=service)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 585, in _handle_exception
    raise errors.CCacheError()
CCacheError: did not receive Kerberos credentials
ipa: DEBUG: Destroyed connection context.rpcclient_140537682029648
ipa: ERROR: did not receive Kerberos credentials
[root at nyx ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_uA6VDOR
Default principal: admin at XS.IPA.COOL

Valid starting       Expires              Service principal
klist: No credentials cache found while retrieving a ticket
```

.... some time afterwards, without running kinit ....

```text
[root at nyx ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_uA6VDOR
Default principal: admin at XS.IPA.COOL

Valid starting       Expires              Service principal
03/24/2017 08:07:02  03/25/2017 08:06:56  krbtgt/XS.IPA.COOL at XS.IPA.COOL
```

.... and running ipa user-show now succeeds in retrieving old cookie, invalidating it, negotiating a new one, and storing it ....

```text
[10747] 1490340689.131026: Storing config in KEYRING:persistent:0:krb_ccache_uA6VDOR for admin at XS.IPA.COOL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=J9aCtYUAsRFpJJhrMu4x4E2gwA2ojJOPdYT7iN7GtTyec7%2fj9lW1LyzgpLhjawaCa9MsK%2btOPDF6mKTsCSJqey3vhgY35ezg8Cwzbln6yGr0kPfDCWoxSQGYWx%2fSSIRVltu8akoXu1NvzP1%2bF0NEFrdzGi2%2bZDZXRFvUC5UpLg%2b3JMg5ZNExYlr%2bLHHQpAJh\x00
[10747] 1490340689.131071: Storing admin at XS.IPA.COOL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/admin\@XS.IPA.COOL at X-CACHECONF: in KEYRING:persistent:0:krb_ccache_uA6VDOR


```
"""

See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288954010

More information about the Freeipa-devel mailing list