Package: sssd-krb5 Version: 1.16.3-3.2 Severity: important Dear maintainers, all Kerberos credential cache collections are unusable with sssd and the Debian kernel in Buster. Details: 1) KEYRING:persistent fails to work since CONFIG_PERSISTENT_KEYRINGS is not set in the Kernel. Effectively, this yields a flaky (sometimes working, sometimes not) setup at runtime, since Kerberos falls back to the user keyring, and sssd-krb5's krb5_child and the kernel keyring garbage collector race. This is likely also one of the causes of #861222 (affects Jessie, in CC). Since the kernel option has been set to "yes" as of 5.5.17-1, I'm also CCing debian-kernel ML. 2) DIR:dirname fails since the directory is created by sssd-krb5 with broken permissions 0600. This has already been reported upstream in [0] by another user, but upstream recommended to use KEYRING:persistent instead, since DIR:dirname is not well tested. 3) KCM: fails with many or large tickets, as outlined in an upstream bug[1] only fixed in very recent sssd versions (>= 2.3) by a series of large patches. I can open separate bugs on (1), (2) and (3) if wanted, but I imagine starting with an overview (since all collections are broken) is a better starting point (and fixing a single one definitely lower severity). On a side-note, cache collections are needed in case tickets for multiple realms are to be stored, i.e. this issue affects any users working in multiple realms (and relying on SSSD). Non-SSSD consumers can work around the issue by using (2). -- System Information Debian Release: 10.7 Kernel: 4.19.0-13 Architecture: amd64 (x86_64) [0] https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/3FH5A2M64KKVTPRUCWV4LLGWEYTV7CL5/ [1] https://github.com/SSSD/sssd/issues/4413
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature