URL:
<http://savannah.cern.ch/bugs/?99540>
Summary: When using krb5 the user name is not extracted
Project: XROOTD
Submitted by: wilko
Submitted on: 2012-12-19 00:13
Report Type: Bug
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: wilko
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Fixed by commit(s):
_______________________________________________________
Details:
When using xrootd with krb5 authentication the xrootd was not able to obtain
the user name from the ticket
but it was set to '?'. For example the xrootd log showed:
xrdlog:121218 12:32:30 949 XrootdXeq: wilko.2367:21@host1 login as ?
The problem was that in XrdSecProtocolkrb5::Authenticate() the call to
pGuard.Valid() failed and it didn't get into the code path to extract the
user name. The xrootd was running as a non-privileged user but it used
krb_kt_uid=0 and that caused the Valid() function to fail (I believe because
it tried to change the euid).
The problem has been fixed in commit 031593e079d507058a133e030a200abf1c702cee
by setting krb_kt_uid to the uid of the
xrootd process or the uid of the keytab file user. The same is true for the
gid.
I hope this didn't break anything for setups that already worked (which I
guess worked because xrootd was running as root).
_______________________________________________________
Reply to this item at:
<http://savannah.cern.ch/bugs/?99540>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|