New issue
Advanced search Search tips

Issue 815158 link

Starred by 1 user
Status: Verified
Owner:
rsorokin@chromium.org
Closed: May 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Fix canonicalization for SPN

Project Member Reported by rsorokin@chromium.org, Feb 23 2018 
I suggest to tie dns_canonicalize_hostname to DisableAuthNegotiateCnameLookup.

And set rdns to false to make it consistent between Chrome and gssapi library. (Now reverse lookup is not done by Chrome)

Comment 1 by ljusten@chromium.org, Mar 8 2018

Owner: rsorokin@chromium.org
It's a problem in authpolicyd because DisableAuthNegotiateCnameLookup is a user policy:
- There's no infrastructure right now to load user policy at startup (and it might not possible since the user session isn't up yet).
- Chicken-egg-problem: To fetch user policy, need krb5.conf. To write dns_canonicalize_hostname to krb5.conf, we need user policy.

I'd suggest to do this in Chrome:
- Whenever Chrome writes krb5.conf, PREpend
[libdefaults]
	dns_canonicalize_hostname = false
to the file. I've verified that you can have multiple [libdefaults] entries and that whoever sets a setting first wins, hence PREpend, i.e.
[libdefaults]
	dns_canonicalize_hostname = false
[libdefaults]
	dns_canonicalize_hostname = true
would set dns_canonicalize_hostname to false.

Also need to watch for changes in DisableAuthNegotiateCnameLookup.

Comment 2 by rsorokin@chromium.org, Mar 21 2018

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 3 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d134a09bfac89f0e5e9961403fa3425f6731f302

commit d134a09bfac89f0e5e9961403fa3425f6731f302
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Tue Apr 03 16:55:03 2018

AuthPolicyCredentialsManager: Use ImportantFileWriter

Switching from my own invented bike to a library function for
credentials and config files.

BUG= 815158 
TEST=manual

Change-Id: I32db516219a7db17d8b0dd7a3ed0f15c8430389f
Reviewed-on: https://chromium-review.googlesource.com/974108
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#547734}
[modify] https://crrev.com/d134a09bfac89f0e5e9961403fa3425f6731f302/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 16 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5bb381fb0a01947402d38973ce197f21e2dc5e44

commit 5bb381fb0a01947402d38973ce197f21e2dc5e44
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Mon Apr 16 16:26:18 2018

AuthPolicyCredentialsManager: Create kerberos dir

Create directory for credentials cache and krb5.conf
Fixing regression was introduced in CL:974108.

BUG= 815158 
TEST=manual

Change-Id: I9ec9ce411de25df504e165c1b1a025e5878c3ae7
Reviewed-on: https://chromium-review.googlesource.com/1013921
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550999}
[modify] https://crrev.com/5bb381fb0a01947402d38973ce197f21e2dc5e44/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc

Comment 5 by rsorokin@chromium.org, Apr 17 2018

Labels: Merge-Request-67
Requesting merge for CL in #4. It fixes regression introduced in #3. Small scope, matters for Active Directory devices only
Project Member

Comment 6 by bugdroid1@chromium.org, Apr 17 2018

Labels: merge-merged-testbranch
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5bb381fb0a01947402d38973ce197f21e2dc5e44

commit 5bb381fb0a01947402d38973ce197f21e2dc5e44
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Mon Apr 16 16:26:18 2018

AuthPolicyCredentialsManager: Create kerberos dir

Create directory for credentials cache and krb5.conf
Fixing regression was introduced in CL:974108.

BUG= 815158 
TEST=manual

Change-Id: I9ec9ce411de25df504e165c1b1a025e5878c3ae7
Reviewed-on: https://chromium-review.googlesource.com/1013921
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550999}
[modify] https://crrev.com/5bb381fb0a01947402d38973ce197f21e2dc5e44/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc

Comment 7 by kbleicher@chromium.org, Apr 17 2018 

Hi, difficult to capture context for merge analysis.  M67 regression, bug, new feature, risk?

Comment 8 by rsorokin@chromium.org, Apr 18 2018 

Hi, sorry for missing the context.
The thing is I simplified a bit my code, but also removed code which creates directory for kerberos credential files. So now kerberos SSO does not work on Active Directory devices for newly added users. Kerberos SSO is also Active Directory feature only. (Active Directory is not used wide. We have very few customers trying it).
So in this patch I revert code which creates the directory.
I'm actually in the middle of writing browser tests for that.
So scope is really small, it's a bug, no risk for non Active Directory devices.
Project Member

Comment 9 by sheriffbot@chromium.org, Apr 18 2018

Labels: -Merge-Request-67 Merge-Approved-67 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by bugdroid1@chromium.org, Apr 19 2018

Labels: -merge-approved-67 merge-merged-3396
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ffd729a560ad55494c2d509e95f761c578280f7

commit 0ffd729a560ad55494c2d509e95f761c578280f7
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Thu Apr 19 08:16:22 2018

AuthPolicyCredentialsManager: Create kerberos dir

Create directory for credentials cache and krb5.conf
Fixing regression was introduced in CL:974108.

BUG= 815158 
TEST=manual

Change-Id: I9ec9ce411de25df504e165c1b1a025e5878c3ae7
Reviewed-on: https://chromium-review.googlesource.com/1013921
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#550999}(cherry picked from commit 5bb381fb0a01947402d38973ce197f21e2dc5e44)
Reviewed-on: https://chromium-review.googlesource.com/1018801
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#120}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/0ffd729a560ad55494c2d509e95f761c578280f7/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc

Comment 11 by rsorokin@chromium.org, May 3 2018

Labels: -M-67 M-68
Project Member

Comment 12 by bugdroid1@chromium.org, May 3 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7e9f7ca863e24f299ddb67f3ec8232a7f55818b4

commit 7e9f7ca863e24f299ddb67f3ec8232a7f55818b4
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Thu May 03 14:06:00 2018

Chromad: Propagate dns cname lookup policy to gssapi library.

Problem is gssapi library (which Chrome uses for Kerberos SSO) uses
krb5.conf settings. So even if DisableAuthNegotiateCnameLookup is enabled,
GSSAPI still does canonicalization internally. This can be toggled in krb5.conf
by setting dns_canonicalize_hostname, so this CL modifies the krb5.conf
we get from authpolicy accordingly. It also sets reverse dns (rdns) to false,
because Chrome does not do reverse search

BUG= chromium:815158 
TEST=ExistingUserControllerActiveDirectoryTest.PolicyChangeTriggersFileUpdate

Change-Id: I418ed028d1bc4ba58883b01fb9f3c314fbed7c1c
Reviewed-on: https://chromium-review.googlesource.com/1016802
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Cr-Commit-Position: refs/heads/master@{#555717}
[modify] https://crrev.com/7e9f7ca863e24f299ddb67f3ec8232a7f55818b4/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc
[modify] https://crrev.com/7e9f7ca863e24f299ddb67f3ec8232a7f55818b4/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.h
[modify] https://crrev.com/7e9f7ca863e24f299ddb67f3ec8232a7f55818b4/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager_unittest.cc
[modify] https://crrev.com/7e9f7ca863e24f299ddb67f3ec8232a7f55818b4/chrome/browser/chromeos/login/existing_user_controller_browsertest.cc

Comment 13 by rsorokin@chromium.org, May 3 2018

Status: Fixed (was: Started)

Comment 14 by ibezmenov@chromium.org, May 8 2018

Status: Verified (was: Fixed)
Verified fixed, kerberos directory with credentials cache and krb5.conf gets overridden per user login:

localhost /var/log # ls -l /home/chronos/user/kerberos/
total 20
-rw-------. 1 chronos chronos 4498 May  8 11:01 krb5cc
-rw-------. 1 chronos chronos  463 May  8 11:01 krb5.conf
localhost /var/log # cat /home/chronos/user/kerberos/krb5.conf 
[libdefaults]
        dns_canonicalize_hostname = true
        rdns = false
[libdefaults]
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
        allow_weak_crypto = false
        clockskew = 300
        default_realm = CHROMEADM-LAB.COM
[realms]
        CHROMEADM-LAB.COM = {
                kdc = [35.187.70.179]
                kpasswd_server = [35.187.70.179]
        }
localhost /var/log #

Chrome OS: 10646.0.0
Chrome: 68.0.3419.0
Device: Robo360

Sign in to add a comment