Store Kerberos user TGT |
||||||||||
Issue descriptionDesign doc: https://docs.google.com/document/d/1JsKxfOBoTo3yxriSpGY0nab67NzT90hUey7Of-1ubjg/edit#heading=h.ke7qrpas1b8j Make sure to store all state including the current users' data (UserData, current_user_account_id_key_), so that the state can be fully restored and it looks like the user authenticated successfully.
,
Aug 7 2017
,
Jan 22 2018
,
Jan 22 2018
,
Jan 22 2018
,
Jun 26 2018
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/4e5b155dce389226292dc2245ee8939671a67c11 commit 4e5b155dce389226292dc2245ee8939671a67c11 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Aug 16 20:14:36 2018 platform_FilePerms: Handle /run/daemon-store Whitelists /run/daemon-store and makes sure that all contained directories are root-owned with a corresponding directory in /etc/daemon-store. Cryptohome mounts the user's cryptohome into these daemon store directories. See CL:1136440 for details. CQ-DEPEND=CL:1127665 BUG= chromium:738433 TEST=Ran test Change-Id: Id9a6c86df6e5e27a3b816ab2f23f27ff659f5704 Reviewed-on: https://chromium-review.googlesource.com/1169817 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> [modify] https://crrev.com/4e5b155dce389226292dc2245ee8939671a67c11/client/site_tests/platform_FilePerms/platform_FilePerms.py
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/554a5968219105dff472531d0d32f550e41ed68a commit 554a5968219105dff472531d0d32f550e41ed68a Author: Lutz Justen <ljusten@chromium.org> Date: Thu Aug 16 20:14:35 2018 cryptohome: Bind mount daemon store folders Adds infrastructure that allows system daemons that run inside a mount namespace to 'see' their per-user daemon store folder in Cryptohome mounts. This is implemented in a way that only the daemon sees its own daemon store and nobody else's and other daemons do not see this daemon's store. The first user is authpolicyd, which stores the user's Kerberos ticket in this folder, see CL:1113917. See CL:1136440 resp. (once that CL lands) https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md for details. CQ-DEPEND=CL:1169817 BUG= chromium:738433 TEST=cros_run_unit_tests --board=amd64-generic --packages cryptohome With the above authpolicy CL, log in to an Active Directory managed device and check /home/root/<user_hash>/authpolicyd. A file should appear there. Change-Id: Ibf6469f608857613d4d4ebfc226f98811e1d4c01 Reviewed-on: https://chromium-review.googlesource.com/1127665 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> [modify] https://crrev.com/554a5968219105dff472531d0d32f550e41ed68a/cryptohome/mount.h [modify] https://crrev.com/554a5968219105dff472531d0d32f550e41ed68a/init/chromeos_startup [modify] https://crrev.com/554a5968219105dff472531d0d32f550e41ed68a/cryptohome/mount.cc [modify] https://crrev.com/554a5968219105dff472531d0d32f550e41ed68a/cryptohome/mount_unittest.cc
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/docs/+/0e63b543cf14bb88015b9e6f094e659821285cf0 commit 0e63b543cf14bb88015b9e6f094e659821285cf0 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Aug 16 20:14:37 2018 sandboxing.md: Document daemon store mounts Documents a new way to set up Cryptohome daemon store folders, so that the Cryptohome mount event propagates into mount namespaces. This allows daemons that run inside a mount namespaces to securely use per-user daemon storage ('user' in the sense of Chrome OS user account, not Linux user). CQ-DEPEND=CL:1127665 BUG= chromium:738433 TEST=Viewed in VSCode built-in MD viewer Change-Id: I16563f298bd427e0c6fa4d531669b26f3f964396 Reviewed-on: https://chromium-review.googlesource.com/1136440 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/0e63b543cf14bb88015b9e6f094e659821285cf0/sandboxing.md [add] https://crrev.com/0e63b543cf14bb88015b9e6f094e659821285cf0/images/sandboxing_daemon_store.png
,
Aug 24
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/236f24260b395f08a8abd7a53650d1c458849b00 commit 236f24260b395f08a8abd7a53650d1c458849b00 Author: Lutz Justen <ljusten@chromium.org> Date: Fri Aug 24 15:13:39 2018 authpolicy: Create daemon-store directory prototype Creates /etc/daemon-store/authpolicyd and sets ownership. In a nutshell, this allows Cryptohome to mount the user's cryptohome to a location that can propagate into authpolicyd's mount namespace. See CL:1113917 for more info. CQ-DEPEND=CL:1170839 BUG= chromium:738433 TEST=Tested on device that folder exists Change-Id: Iebf7cdd356e13f03377c98a15be435038bfec54c Reviewed-on: https://chromium-review.googlesource.com/1165354 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> [modify] https://crrev.com/236f24260b395f08a8abd7a53650d1c458849b00/chromeos-base/authpolicy/authpolicy-9999.ebuild
,
Aug 24
,
Aug 24
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b commit fe16ed19bf79b5f9230fa6f0f65ea88bad96289b Author: Lutz Justen <ljusten@chromium.org> Date: Tue Sep 04 14:29:46 2018 authpolicy: Back up auth state to user's Cryptohome Authpolicyd stores the user's authentication state (Kerberos ticket etc.) in memory. Whenever the user logs out and back in, authpolicyd is restarted and loses that state. If the user is online during login, the state is renewed. However, if they are offline during login, the state cannot be renewed since the Kerberos ticket cannot be requested from the Active Directory server. Once they go online again, they see a popup asking to relog since the auth data is not valid. Policy fetch and Kerberos SSO are not available during such a session and people are going to have a bad time. This CL fixes this by backing up user authentication state to the user's Cryptohome and restoring it whenever needed, e.g. after a restart when the user logs in while offline. The tricky part of the CL is to allow the Cryptohome mount to be seen from authpolicyd's minijail, since authpolicyd is usually started before Cryptohome is mounted. To make this possible, Cryptohome creates a folder at /run/daemon-store/authpolicyd and bind-mounts it to itself as shared mounts. Authpolicyd remounts that folder as slave inside the mount namespace. Finally, Cryptohome bind-mounts /home/root/<user_hash>/authpolicyd into that folder, so that the mount propagates into authpolicyd's mount namespace. CQ-DEPEND=CL:1165354 BUG= chromium:738433 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Login while online to fetch new Kerberos ticket. Log out, log back in while offline (so TGT fetch fails). Reconnect network. You should NOT see a notification asking you to relog since the ticket expired. Change-Id: I9d5ef8228ceec71348b7102d840b16e535291607 Reviewed-on: https://chromium-review.googlesource.com/1113917 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy.gyp [add] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/cryptohome_client.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/session_manager_client.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/session_manager_client.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/cryptohome/etc/Cryptohome.conf [add] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/cryptohome_client.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/tgt_manager.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/tgt_manager.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy_parser_main.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/samba_interface.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/samba_interface.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/path_service.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/path_service.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/login_manager/SessionManager.conf [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/proto/authpolicy_containers.proto [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/etc/init/authpolicyd.conf
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b commit fe16ed19bf79b5f9230fa6f0f65ea88bad96289b Author: Lutz Justen <ljusten@chromium.org> Date: Tue Sep 04 14:29:46 2018 authpolicy: Back up auth state to user's Cryptohome Authpolicyd stores the user's authentication state (Kerberos ticket etc.) in memory. Whenever the user logs out and back in, authpolicyd is restarted and loses that state. If the user is online during login, the state is renewed. However, if they are offline during login, the state cannot be renewed since the Kerberos ticket cannot be requested from the Active Directory server. Once they go online again, they see a popup asking to relog since the auth data is not valid. Policy fetch and Kerberos SSO are not available during such a session and people are going to have a bad time. This CL fixes this by backing up user authentication state to the user's Cryptohome and restoring it whenever needed, e.g. after a restart when the user logs in while offline. The tricky part of the CL is to allow the Cryptohome mount to be seen from authpolicyd's minijail, since authpolicyd is usually started before Cryptohome is mounted. To make this possible, Cryptohome creates a folder at /run/daemon-store/authpolicyd and bind-mounts it to itself as shared mounts. Authpolicyd remounts that folder as slave inside the mount namespace. Finally, Cryptohome bind-mounts /home/root/<user_hash>/authpolicyd into that folder, so that the mount propagates into authpolicyd's mount namespace. CQ-DEPEND=CL:1165354 BUG= chromium:738433 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Login while online to fetch new Kerberos ticket. Log out, log back in while offline (so TGT fetch fails). Reconnect network. You should NOT see a notification asking you to relog since the ticket expired. Change-Id: I9d5ef8228ceec71348b7102d840b16e535291607 Reviewed-on: https://chromium-review.googlesource.com/1113917 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy.gyp [add] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/cryptohome_client.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/session_manager_client.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/session_manager_client.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/cryptohome/etc/Cryptohome.conf [add] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/cryptohome_client.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/tgt_manager.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/tgt_manager.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy_parser_main.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/samba_interface.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/samba_interface.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/path_service.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/path_service.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/login_manager/SessionManager.conf [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/proto/authpolicy_containers.proto [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/etc/init/authpolicyd.conf
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b commit fe16ed19bf79b5f9230fa6f0f65ea88bad96289b Author: Lutz Justen <ljusten@chromium.org> Date: Tue Sep 04 14:29:46 2018 authpolicy: Back up auth state to user's Cryptohome Authpolicyd stores the user's authentication state (Kerberos ticket etc.) in memory. Whenever the user logs out and back in, authpolicyd is restarted and loses that state. If the user is online during login, the state is renewed. However, if they are offline during login, the state cannot be renewed since the Kerberos ticket cannot be requested from the Active Directory server. Once they go online again, they see a popup asking to relog since the auth data is not valid. Policy fetch and Kerberos SSO are not available during such a session and people are going to have a bad time. This CL fixes this by backing up user authentication state to the user's Cryptohome and restoring it whenever needed, e.g. after a restart when the user logs in while offline. The tricky part of the CL is to allow the Cryptohome mount to be seen from authpolicyd's minijail, since authpolicyd is usually started before Cryptohome is mounted. To make this possible, Cryptohome creates a folder at /run/daemon-store/authpolicyd and bind-mounts it to itself as shared mounts. Authpolicyd remounts that folder as slave inside the mount namespace. Finally, Cryptohome bind-mounts /home/root/<user_hash>/authpolicyd into that folder, so that the mount propagates into authpolicyd's mount namespace. CQ-DEPEND=CL:1165354 BUG= chromium:738433 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Login while online to fetch new Kerberos ticket. Log out, log back in while offline (so TGT fetch fails). Reconnect network. You should NOT see a notification asking you to relog since the ticket expired. Change-Id: I9d5ef8228ceec71348b7102d840b16e535291607 Reviewed-on: https://chromium-review.googlesource.com/1113917 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy.gyp [add] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/cryptohome_client.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/session_manager_client.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/session_manager_client.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/cryptohome/etc/Cryptohome.conf [add] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/cryptohome_client.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/tgt_manager.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/tgt_manager.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy_parser_main.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/samba_interface.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/samba_interface.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/path_service.h [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/path_service.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/authpolicy.cc [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/login_manager/SessionManager.conf [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/proto/authpolicy_containers.proto [modify] https://crrev.com/fe16ed19bf79b5f9230fa6f0f65ea88bad96289b/authpolicy/etc/init/authpolicyd.conf
,
Nov 15
,
Nov 15
Verification: Prepare an AD-enrolled Chromebook. Log in while online to fetch new Kerberos ticket. Log out. Log back in while offline (so TGT fetch fails). Reconnect network to go back online. You should NOT see a notification asking you to relog since the ticket expired. The ticket should be recovered from backup. Refresh policy and check /var/log/authpolicy.log. User policy fetch should succeed. grep RefreshUserPolicy /var/log/authpolicy.log should contain "RefreshUserPolicy succeeded"
,
Nov 21
Verified fixed. When network is reconnected, there is no notification asking to re-login, user policy fetch succeeded, /var/log/authpolicy.log contains "RefreshUserPolicy succeeded". Chrome OS: 11282.0.0 Chrome: 72.0.3612.0 Device: Nautilus |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ljusten@chromium.org
, Jun 30 2017