Issue 762035 link

Starred by 2 users

Issue metadata

Status:	Verified
Owner:	ljusten@chromium.org
Closed:	Sep 2017
Cc:	rsorokin@chromium.org
Components:	Enterprise
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	2
Type:	Bug
Chromad M-63

authpolicy should trigger kerberos files changed signal on tgt renewal

Project Member Reported by rsorokin@chromium.org, Sep 5 2017

Issue description

Comment 1 by ljusten@chromium.org, Sep 19 2017

Status: Started (was: Assigned)

Project Member

Comment 2 by bugdroid1@chromium.org, Sep 21 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/b99ccabf60bbf6021f30cbe96d2687913d4a0b27

commit b99ccabf60bbf6021f30cbe96d2687913d4a0b27
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu Sep 21 15:05:39 2017

authpolicy: Trigger files changed signal on TGT renewal

Trigger UserKerberosFilesChanged if the Kerberos config file or the
credential cache change during TGT renewal. This is important so
Chrome gets notified when new files are available and it won't use
expired tickets for authentication.

BUG= chromium:762035 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: Ifa36d3c7961adbf6a1665aa9062518f7d54a4722
Reviewed-on: https://chromium-review.googlesource.com/675366
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/b99ccabf60bbf6021f30cbe96d2687913d4a0b27/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/b99ccabf60bbf6021f30cbe96d2687913d4a0b27/authpolicy/stub_kinit_main.cc
[modify] https://crrev.com/b99ccabf60bbf6021f30cbe96d2687913d4a0b27/authpolicy/tgt_manager.cc
[modify] https://crrev.com/b99ccabf60bbf6021f30cbe96d2687913d4a0b27/authpolicy/tgt_manager.h

Comment 3 by ljusten@chromium.org, Sep 26 2017

Cc: rsorokin@chromium.org
Status: Fixed (was: Started)

Roman, can you confirm it works?

Comment 4 by rsorokin@chromium.org, Oct 2 2017

It works.

Comment 5 by ibezmenov@chromium.org, Apr 17 2018

Status: Verified (was: Fixed)

Verified fixed. Authpolicy triggers kerberos files changed signal on tgt renewal:

2018-04-17T17:33:33.924490+00:00 INFO authpolicyd[3225]: Firing signal UserKerberosFilesChanged
2018-04-17T17:33:40.295596+00:00 INFO authpolicyd[3225]: TGT RENEWAL - Scheduling renewal in 7h 59m 54s (valid for 9h 59m 53s, renewable for 167h 59m 52s)
2018-04-17T17:33:40.295638+00:00 INFO authpolicyd[3225]: AuthenticateUser succeeded
2018-04-17T17:33:40.295987+00:00 INFO authpolicyd[3225]: All 1 calls to StoreUnsignedPolicyEx succeeded.
2018-04-17T17:33:43.275938+00:00 INFO authpolicyd[3225]: #033[41;1;97mReceived 'GetUserStatus' request#033[0m
2018-04-17T17:33:52.934349+00:00 INFO authpolicyd[3225]: GetUserStatus succeeded
2018-04-17T17:33:52.934612+00:00 INFO authpolicyd[3225]: #033[41;1;97mReceived 'GetUserKerberosFiles' request#033[0m
2018-04-17T17:33:52.934741+00:00 INFO authpolicyd[3225]: GetUserKerberosFiles succeeded
2018-04-17T17:33:52.935136+00:00 INFO authpolicyd[3225]: #033[41;1;97mReceived 'RefreshUserPolicy' request#033[0m
2018-04-17T17:33:57.752128+00:00 INFO authpolicyd[3225]: Getting user GPO list for user account
2018-04-17T17:34:05.740946+00:00 INFO authpolicyd[3225]: User policy fetch and parsing succeeded
2018-04-17T17:34:05.745235+00:00 INFO authpolicyd[3225]: All 1 calls to StoreUnsignedPolicyEx succeeded.
2018-04-17T17:34:57.099140+00:00 INFO authpolicyd[3225]: authpolicyd stopping with exit code 0
2018-04-17T17:34:58.796136+00:00 INFO authpolicyd[6907]: libminijail[2]: mount / -> / type ''
2018-04-17T17:34:58.796153+00:00 INFO authpolicyd[6907]: libminijail[2]: mount /dev -> /dev type ''
2018-04-17T17:34:58.796160+00:00 INFO authpolicyd[6907]: libminijail[2]: mount /sys -> /sys type ''
2018-04-17T17:34:58.796166+00:00 INFO authpolicyd[6907]: libminijail[2]: mount /run -> /run type ''
2018-04-17T17:34:58.796172+00:00 INFO authpolicyd[6907]: libminijail[2]: mount /var -> /var type ''
2018-04-17T17:34:58.796178+00:00 INFO authpolicyd[6907]: libminijail[2]: mount /run/authpolicyd -> /run/authpolicyd type ''
2018-04-17T17:34:58.796185+00:00 INFO authpolicyd[6907]: libminijail[2]: mount /var/lib/authpolicyd -> /var/lib/authpolicyd type ''
2018-04-17T17:34:58.796191+00:00 INFO authpolicyd[6907]: libminijail[2]: mount /var/lib/metrics -> /var/lib/metrics type ''
2018-04-17T17:34:58.799838+00:00 INFO authpolicyd[6907]: Install attributes locked to Active Directory mode.
2018-04-17T17:34:58.799917+00:00 INFO authpolicyd[6907]: authpolicyd starting
2018-04-17T17:34:58.801656+00:00 INFO authpolicyd[6907]: Read configuration file '/var/lib/authpolicyd/config.dat'
2018-04-17T17:34:58.801954+00:00 INFO authpolicyd[6907]: Running scheduled machine password age check
2018-04-17T17:35:03.230117+00:00 INFO authpolicyd[6907]: No need to change machine password (29 days left)
2018-04-17T17:35:05.641648+00:00 INFO authpolicyd[6907]: #033[41;1;97mReceived 'AuthenticateUser' request#033[0m
2018-04-17T17:35:16.317544+00:00 INFO authpolicyd[6907]: Firing signal UserKerberosFilesChanged
2018-04-17T17:35:21.633749+00:00 INFO authpolicyd[6907]: TGT RENEWAL - Scheduling renewal in 7h 59m 55s (valid for 9h 59m 54s, renewable for 167h 59m 54s)

Chrome OS: 10575.4.0
Chrome: 67.0.3396.8
Device: Paine

►

Issue 762035 link

Issue metadata

authpolicy should trigger kerberos files changed signal on tgt renewal

Issue description

Comment 1 by ljusten@chromium.org, Sep 19 2017

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Sep 21 2017

Comment 2 Deleted

Comment 3 by ljusten@chromium.org, Sep 26 2017

Comment 3 Deleted

Comment 4 by rsorokin@chromium.org, Oct 2 2017

Comment 4 Deleted

Comment 5 by ibezmenov@chromium.org, Apr 17 2018

Comment 5 Deleted

Sign in to add a comment