SSS key conflict resolution should be key-name based and not creation-date based
The following tests show that SSS key conflict resolution is not based on the name of a kay but on its creation time:
CREATE TWO KEYS IN THE SAME SECOND, EACH IN A SEPARATE KEYTAB FILE
[itdssbuild01] sss > rm -rf sss; mkdir sss; cd sss
[itdssbuild01] sss > echo y | xrdsssadmin -k key1 -u key1_user -g key1_group add key1.sss.keytab; echo y | xrdsssadmin -k key1 -u key2_user -g key2_group add key2.sss.keytab
xrdsssadmin: Keyfile 'key1.sss.keytab' does not exist. Create it? (y | n): xrdsssadmin: 1 key out of 1 kept (0 expired).
xrdsssadmin: Keyfile 'key2.sss.keytab' does not exist. Create it? (y | n): xrdsssadmin: 1 key out of 1 kept (0 expired).
COMBINE THE KEYS INTO A SINGLE KEYTAB FILE
[itdssbuild01] sss > (cat key1.sss.keytab; echo; cat key2.sss.keytab) > allkeys.sss.keytab
[itdssbuild01] sss > chmod 600 allkeys.sss.keytab
[itdssbuild01] sss > xrdsssadmin list allkeys.sss.keytab
Number Len Date/Time Created Expires Keyname User & Group
------ --- --------- ------- -------- -------
1 32 09/25/17 19:44:45 -------- key1 key2_user key2_group
1 32 09/25/17 19:44:45 -------- key1 key1_user key1_group
[itdssbuild01] sss >
CREATE A VERY SIMPLE SSS ENABLED XROOTD SERVER CONFIG FILE
[itdssbuild01] sss > cat /etc/xrootd/xrootd-sss.cfg
all.export /tmp
xrootd.seclib libXrdSec.so
sec.protocol sss -s /home/smurray/sss/allkeys.sss.keytab
sec.protbind * only sss
[itdssbuild01] sss >
RUN THE XROOTD SERVER
[itdssbuild01] sss > /usr/bin/xrootd -c /etc/xrootd/xrootd-sss.cfg -k fifo -s /tmp/xrootd-sss.pid -n standalone -d
…
RUN A CLIENT COMMAND USING key1
[itdssbuild01] sss > XrdSecPROTOCOL=sss XrdSecSSSKT=key1.sss.keytab xrdfs localhost ls /tmp
[FATAL] Auth failed
[itdssbuild01] sss >
SERVER LOGS
170925 19:54:47 23868 XrdInet: Accepted connection from 21@localhost
170925 19:54:47 23868 XrdProtocol: matched protocol xrootd
170925 19:54:47 23868 ?:21@localhost XrdPoll: FD 21 attached to poller 0; num=1
170925 19:54:47 23868 ?:21@localhost XrootdProtocol: 0000 req=login dlen=95
170925 19:54:47 23868 sec_getParms: localhost sectoken=&P=sss,0.13:
170925 19:54:47 23868 smurray.24222:21@localhost XrootdResponse: 0000 sending 28 data bytes; status=0
170925 19:54:47 23868 smurray.24222:21@localhost XrootdProtocol: 0000 req=auth dlen=151
sec_PM: Using sss protocol, args='0.13:'
170925 19:54:47 23868 XrootdXeq: User authentication failed; Unable to decrypt credentials.
CREATING THE KEYS AGAAN, ONLY THIS TIME 2 SECONDS APART
[itdssbuild01] sss > echo y | xrdsssadmin -k key1 -u key1_user -g key1_group add key1.sss.keytab; sleep 2; echo y | xrdsssadmin -k key1 -u key2_user -g key2_group add key2.sss.keytab
xrdsssadmin: Keyfile 'key1.sss.keytab' does not exist. Create it? (y | n): xrdsssadmin: 1 key out of 1 kept (0 expired).
xrdsssadmin: Keyfile 'key2.sss.keytab' does not exist. Create it? (y | n): xrdsssadmin: 1 key out of 1 kept (0 expired).
[itdssbuild01] sss > (cat key1.sss.keytab; echo; cat key2.sss.keytab) > allkeys.sss.keytab
[itdssbuild01] sss > chmod 600 allkeys.sss.keytab
[itdssbuild01] sss > xrdsssadmin list allkeys.sss.keytab
Number Len Date/Time Created Expires Keyname User & Group
------ --- --------- ------- -------- -------
1 32 09/25/17 19:57:14 -------- key1 key2_user key2_group
1 32 09/25/17 19:57:12 -------- key1 key1_user key1_group
[itdssbuild01] sss >
[itdssbuild01] sss > /usr/bin/xrootd -c /etc/xrootd/xrootd-sss.cfg -k fifo -s /tmp/xrootd-sss.pid -n standalone -d
…
RUN A CLIENT COMMAND USING key1
[itdssbuild01] sss > XrdSecPROTOCOL=sss XrdSecSSSKT=key1.sss.keytab xrdfs localhost stat /tmp
Path: /tmp
Id: 144115493018598656
Size: 8192
MTime: 2017-09-25 18:01:04
Flags: 51 (XBitSet|IsDir|IsReadable|IsWritable)
[itdssbuild01] sss > XrdSecPROTOCOL=sss XrdSecSSSKT=key1.sss.keytab xrdfs localhost stat /tmp
Path: /tmp
Id: 144115493018598656
Size: 8192
MTime: 2017-09-25 18:01:04
Flags: 51 (XBitSet|IsDir|IsReadable|IsWritable)
[itdssbuild01] sss >
SERVER SIDE LOGS
170925 20:01:39 28991 XrdInet: Accepted connection from 24@localhost
170925 20:01:39 28993 XrdSched: running main accept inq=0
170925 20:01:39 28991 XrdProtocol: matched protocol xrootd
170925 20:01:39 28991 ?:24@localhost XrdPoll: FD 24 attached to poller 0; num=1
170925 20:01:39 28991 ?:24@localhost XrootdProtocol: 0000 req=login dlen=95
170925 20:01:39 28991 sec_getParms: localhost sectoken=&P=sss,0.13:
170925 20:01:39 28991 smurray.29140:24@localhost XrootdResponse: 0000 sending 28 data bytes; status=0
170925 20:01:39 28991 smurray.29140:24@localhost XrootdProtocol: 0000 req=auth dlen=151
sec_PM: Using sss protocol, args='0.13:'
RUN A CLIENT COMMAND USING key2
[itdssbuild01] sss > XrdSecPROTOCOL=sss XrdSecSSSKT=key2.sss.keytab xrdfs localhost stat /tmp
Path: /tmp
Id: 144115493018598656
Size: 8192
MTime: 2017-09-25 18:01:04
Flags: 51 (XBitSet|IsDir|IsReadable|IsWritable)
[itdssbuild01] sss >
SERVER SIDE LOGS
170925 20:02:14 28923 XrdInet: Accepted connection from 22@localhost
170925 20:02:14 28924 XrdSched: running main accept inq=0
170925 20:02:14 28923 XrdProtocol: matched protocol xrootd
170925 20:02:14 28923 ?:22@localhost XrdPoll: FD 22 attached to poller 0; num=1
170925 20:02:14 28923 ?:22@localhost XrootdProtocol: 0000 req=login dlen=95
170925 20:02:14 28923 sec_getParms: localhost sectoken=&P=sss,0.13:
170925 20:02:14 28923 smurray.29535:22@localhost XrootdResponse: 0000 sending 28 data bytes; status=0
170925 20:02:14 28923 smurray.29535:22@localhost XrootdProtocol: 0000 req=auth dlen=151
sec_PM: Using sss protocol, args='0.13:'
170925 20:02:14 28923 smurray.29535:22@localhost XrootdResponse: 0000 sending OK
170925 20:02:14 28923 XrootdXeq: smurray.29535:22@localhost pvt IPv4 login as key2_user