On Wed, Oct 15, 2014 at 02:37:59PM +0200, Joschi Brauchle wrote:
We have a weird problem with the KRB5CCNAME environment variable that
seems
to be an SSSD bug.
Configuration:
------------ /etc/sssd/sssd.conf ------------
...
# Set CCache to Kerberos default
krb5_ccachedir = /run/user/%U
krb5_ccname_template = DIR:%d/krb5cc
...
------------ /etc/sssd/sssd.conf ------------
Now, user "ne96soh" logs in to the machine for the FIRST time and does a
kerberized ldapsearch:
------------
ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
DIR:/run/user/3036404/krb5cc
ne96soh@tueilnt-student01:~$ klist
Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
...
ne96soh@tueilnt-student01:~$ ldapsearch ...<using GSSAPI>
... <succeeds>
------------
but then logs into the machine a SECOND concurrent time (i.e. leaving first
session open):
------------
ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
DIR::/run/user/3036404/krb5cc/tktZoweZq
ne96soh@tueilnt-student01:~$ klist
Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
...
ne96soh@tueilnt-student01:~$ ldapsearch ...<using GSSAPI>
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)
------------
For me, the format of 'DIR::/run/user/3036404/krb5cc/tktZoweZq' in the
second login seems strange! Is this a valid format?
Which version of SSSD are you using? iirc we fixed a similar issue some
time ago.
bye,
Sumit
When I manuelly reset the KRB5CCNAME variable in the second login shell to
its original value 'DIR:/run/user/3036404/krb5cc', then the ldapsearch using
GSSAPI succeeds.
The reason of all this seems to be that SSSD reuses existing ccaches for
already logged on users, but possibly mixes up formats there.
See
------------ /var/log/sssd_default.log ------------
(Wed Oct 15 14:04:54 2014) [sssd[be[default]]] [krb5_auth_send] (0x4000):
Ccache_file is [DIR::/run/user/3036404/krb5cc/tktZoweZq] and is active and
TGT is valid.
...
(Wed Oct 15 14:04:54 2014) [sssd[be[default]]] [krb5_find_ccache_step]
(0x0080): Saved ccache DIR::/run/user/3036404/krb5cc/tktZoweZq if of
different type than ccache in configuration file, reusing the old ccache
...
(Wed Oct 15 14:04:54 2014) [sssd[be[default]]] [safe_remove_old_ccache_file]
(0x0400): New and old ccache file are the same, no one will be deleted.
(Wed Oct 15 14:04:54 2014) [sssd[be[default]]] [krb5_mod_ccname] (0x4000):
Save ccname [DIR::/run/user/3036404/krb5cc/tktZoweZq] for user [ne96soh].
------------ /var/log/sssd_default.log ------------
Best regards,
--
Dipl.-Ing. Joschi Brauchle, M.S.
Institute for Communications Engineering (LNT)
Technische Universitaet Muenchen (TUM)
80290 Munich, Germany
Tel (work): +49 89 289-23474
Fax (work): +49 89 289-23490
E-mail: joschi.brauchle(a)tum.de
Web:
http://www.lnt.ei.tum.de/
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel