Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
Thanks Steve
On 04/26/2013 06:44 PM, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
There have been some changes where SSSD produces the file on Fedora. There is a distro wide effort to move the cred cache from /tmp to /var/run/user/<uid> You might need to fix that for Ubuntu.
Thanks Steve
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On 27/04/13 01:01, Dmitri Pal wrote:
On 04/26/2013 06:44 PM, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
There have been some changes where SSSD produces the file on Fedora. There is a distro wide effort to move the cred cache from /tmp to /var/run/user/<uid> You might need to fix that for Ubuntu.
Hi In fact I don't get it upon starting sssd on either Ubuntu nor openSUSE in either /tmp nor /var/run/user sorry. _Should_ I get the cache file? (It would be handy to have a root ache for some other stuff like cifs mounts).
With this config should a a cache file be produced?
On 04/26/2013 07:08 PM, steve wrote:
On 27/04/13 01:01, Dmitri Pal wrote:
On 04/26/2013 06:44 PM, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
There have been some changes where SSSD produces the file on Fedora. There is a distro wide effort to move the cred cache from /tmp to /var/run/user/<uid> You might need to fix that for Ubuntu.
Hi In fact I don't get it upon starting sssd on either Ubuntu nor openSUSE in either /tmp nor /var/run/user sorry. _Should_ I get the cache file? (It would be handy to have a root ache for some other stuff like cifs mounts).
With this config should a a cache file be produced?
The cache should be produced for user once the user authenticates. I do not know where the cache for the TGT that is created by SSSD itself based on its keytab that you are mentioning in the config above. You need to wait for real specialists to chime in.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Sat, 2013-04-27 at 00:44 +0200, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM>
Simo.
On 27/04/13 03:54, Simo Sorce wrote:
On Sat, 2013-04-27 at 00:44 +0200, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM>
Simo.
Hi Thanks, but: klist -k ccache_HH3.SITE Keytab name: FILE:ccache_HH3.SITE klist: Unsupported key table format version number while starting keytab scan
So I can't use it for anything else. Is it possible for sssd to produce a cache that klist understands so I can reuse it as the root cache for other processes?
We have a Samba4 KDC
On Sat, 2013-04-27 at 10:46 +0200, steve wrote:
On 27/04/13 03:54, Simo Sorce wrote:
On Sat, 2013-04-27 at 00:44 +0200, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM>
Simo.
Hi Thanks, but: klist -k ccache_HH3.SITE Keytab name: FILE:ccache_HH3.SITE
this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
klist: Unsupported key table format version number while starting keytab scan
So I can't use it for anything else. Is it possible for sssd to produce a cache that klist understands so I can reuse it as the root cache for other processes?
You may be interested in the gss-proxy project if you need to use keys for other components and need a ccache to be generated on the fly for you. (works only with MIT kerberos starting on Fedora 19)
We have a Samba4 KDC
I know very well, hello group-steve :-)
Simo.
On 27/04/13 17:39, Simo Sorce wrote:
On Sat, 2013-04-27 at 10:46 +0200, steve wrote:
On 27/04/13 03:54, Simo Sorce wrote:
On Sat, 2013-04-27 at 00:44 +0200, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM>
Simo.
Hi Thanks, but: klist -k ccache_HH3.SITE Keytab name: FILE:ccache_HH3.SITE
this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
Yes. I feel so stupid. It's not recognised though. Other apps expect it to be under /tmp and be called krb5cc_0
klist: Unsupported key table format version number while starting keytab scan
So I can't use it for anything else. Is it possible for sssd to produce a cache that klist understands so I can reuse it as the root cache for other processes?
You may be interested in the gss-proxy project if you need to use keys for other components and need a ccache to be generated on the fly for you. (works only with MIT kerberos starting on Fedora 19)
Sounds good. We need the cache for automounted cifs from Samba. We need the root cache at /tmp/krb5cc_0. As it stands, I have to maintain the cache using a cron or by using k5start, which is a pain. I thought that as sssd is constantly in play, it could be used to maintain the cache. Any idea if I could symlink it from its sssd location to /tmp? BTW, the root cache can hold any principal. The MACHINE$ key we use for sss would be fine.
We have a Samba4 KDC
I know very well, hello group-steve :-)
Simo.
Yes, of course, that's why the name Simo seems familiar, from the samba lists. Samba4 + sssd: Amazing technology.
On (27/04/13 19:44), steve wrote:
On 27/04/13 17:39, Simo Sorce wrote:
On Sat, 2013-04-27 at 10:46 +0200, steve wrote:
On 27/04/13 03:54, Simo Sorce wrote:
On Sat, 2013-04-27 at 00:44 +0200, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM>
Simo.
Hi Thanks, but: klist -k ccache_HH3.SITE Keytab name: FILE:ccache_HH3.SITE
this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
Yes. I feel so stupid. It's not recognised though. Other apps expect it to be under /tmp and be called krb5cc_0
If you want to store credential caches in /tmp, you should override default value of variable krb5_ccachedir.
On fedora 18 default value of krb5_ccachedir is "/run/user/%U"
Look to "man sssd-krb5" for detailed description.
LS
klist: Unsupported key table format version number while starting keytab scan
So I can't use it for anything else. Is it possible for sssd to produce a cache that klist understands so I can reuse it as the root cache for other processes?
You may be interested in the gss-proxy project if you need to use keys for other components and need a ccache to be generated on the fly for you. (works only with MIT kerberos starting on Fedora 19)
Sounds good. We need the cache for automounted cifs from Samba. We need the root cache at /tmp/krb5cc_0. As it stands, I have to maintain the cache using a cron or by using k5start, which is a pain. I thought that as sssd is constantly in play, it could be used to maintain the cache. Any idea if I could symlink it from its sssd location to /tmp? BTW, the root cache can hold any principal. The MACHINE$ key we use for sss would be fine.
We have a Samba4 KDC
I know very well, hello group-steve :-)
Simo.
Yes, of course, that's why the name Simo seems familiar, from the samba lists. Samba4 + sssd: Amazing technology.
On 04/27/2013 07:54 PM, Lukas Slebodnik wrote:
On (27/04/13 19:44), steve wrote:
On 27/04/13 17:39, Simo Sorce wrote:
On Sat, 2013-04-27 at 10:46 +0200, steve wrote:
On 27/04/13 03:54, Simo Sorce wrote:
On Sat, 2013-04-27 at 00:44 +0200, steve wrote:
Hi 1.9.4 Ubuntu 13.04
We have this in sssd.conf:
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
but no krb5cc_xxxx file appears in /tmp when we start sssd
This works OK with openSUSE with te same config.
How can we get sssd to produce the cache file as expected?
The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM>
Simo.
Hi Thanks, but: klist -k ccache_HH3.SITE Keytab name: FILE:ccache_HH3.SITE
this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
Yes. I feel so stupid. It's not recognised though. Other apps expect it to be under /tmp and be called krb5cc_0
If you want to store credential caches in /tmp, you should override default value of variable krb5_ccachedir.
On fedora 18 default value of krb5_ccachedir is "/run/user/%U"
Look to "man sssd-krb5" for detailed description.
LS
Hi OK, I changed sssd conf to this:
ldap_sasl_mech = gssapi ldap_sasl_authid = DOLORESDC$ krb5_ccachedir = /tmp ldap_krb5_keytab = /etc/krb5.keytab krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX ldap_krb5_init_creds = true
I expect to get a cache at: /tmp/krb5cc_0
But I don't. Instead, the cache appears at /var/lib/sss/db/ccache_DOLORES.SITE. I've tried %u instead of %U. Do I have the correct syntax?
On Sun, 2013-04-28 at 13:31 +0200, steve wrote:
On 04/27/2013 07:54 PM, Lukas Slebodnik wrote:
On (27/04/13 19:44), steve wrote:
On 27/04/13 17:39, Simo Sorce wrote:
On Sat, 2013-04-27 at 10:46 +0200, steve wrote:
On 27/04/13 03:54, Simo Sorce wrote:
On Sat, 2013-04-27 at 00:44 +0200, steve wrote: > Hi > 1.9.4 Ubuntu 13.04 > > We have this in sssd.conf: > > ldap_sasl_mech = gssapi > ldap_sasl_authid = HH16$ > ldap_krb5_keytab = /etc/krb5.keytab > ldap_krb5_init_creds = true > > but no krb5cc_xxxx file appears in /tmp when we start sssd > > This works OK with openSUSE with te same config. > > How can we get sssd to produce the cache file as expected? The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM>
Simo.
Hi Thanks, but: klist -k ccache_HH3.SITE Keytab name: FILE:ccache_HH3.SITE
this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
Yes. I feel so stupid. It's not recognised though. Other apps expect it to be under /tmp and be called krb5cc_0
If you want to store credential caches in /tmp, you should override default value of variable krb5_ccachedir.
On fedora 18 default value of krb5_ccachedir is "/run/user/%U"
Look to "man sssd-krb5" for detailed description.
LS
Hi OK, I changed sssd conf to this:
ldap_sasl_mech = gssapi ldap_sasl_authid = DOLORESDC$ krb5_ccachedir = /tmp ldap_krb5_keytab = /etc/krb5.keytab krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX ldap_krb5_init_creds = true
These options are only for user caches. Not for sssd's own machine ccache
I expect to get a cache at: /tmp/krb5cc_0
But I don't. Instead, the cache appears at /var/lib/sss/db/ccache_DOLORES.SITE. I've tried %u instead of %U. Do I have the correct syntax?
The syntax is correct, but will not affect the machine ccache. It's path is hard coded to /var/lib/sss/db/ccache_<REALM>
Simo.
On 04/28/2013 04:12 PM, Simo Sorce wrote:
On Sun, 2013-04-28 at 13:31 +0200, steve wrote:
On 04/27/2013 07:54 PM, Lukas Slebodnik wrote:
On (27/04/13 19:44), steve wrote:
On 27/04/13 17:39, Simo Sorce wrote:
On Sat, 2013-04-27 at 10:46 +0200, steve wrote:
On 27/04/13 03:54, Simo Sorce wrote: > On Sat, 2013-04-27 at 00:44 +0200, steve wrote: >> Hi >> 1.9.4 Ubuntu 13.04 >> >> We have this in sssd.conf: >> >> ldap_sasl_mech = gssapi >> ldap_sasl_authid = HH16$ >> ldap_krb5_keytab = /etc/krb5.keytab >> ldap_krb5_init_creds = true >> >> but no krb5cc_xxxx file appears in /tmp when we start sssd >> >> This works OK with openSUSE with te same config. >> >> How can we get sssd to produce the cache file as expected? > The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM> > > Simo. > > Hi > Thanks, but: > klist -k ccache_HH3.SITE > Keytab name: FILE:ccache_HH3.SITE
this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
Yes. I feel so stupid. It's not recognised though. Other apps expect it to be under /tmp and be called krb5cc_0
If you want to store credential caches in /tmp, you should override default value of variable krb5_ccachedir.
On fedora 18 default value of krb5_ccachedir is "/run/user/%U"
Look to "man sssd-krb5" for detailed description.
LS
Hi OK, I changed sssd conf to this:
ldap_sasl_mech = gssapi ldap_sasl_authid = DOLORESDC$ krb5_ccachedir = /tmp ldap_krb5_keytab = /etc/krb5.keytab krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX ldap_krb5_init_creds = true
These options are only for user caches. Not for sssd's own machine ccache
I expect to get a cache at: /tmp/krb5cc_0
But I don't. Instead, the cache appears at /var/lib/sss/db/ccache_DOLORES.SITE. I've tried %u instead of %U. Do I have the correct syntax?
The syntax is correct, but will not affect the machine ccache. It's path is hard coded to /var/lib/sss/db/ccache_<REALM>
Simo.
Hi OK, so for the machine cache it is hard coded. What about if I change:
ldap_sasl_authid = Administrator
IOW, not the machine key? Do I get a cache under /tmp then?
If not, could you tell me the syntax to have sssd running as root and when it starts to have it's cache in /tmp/krb5cc_0 ??
Thanks for your patience.
ldap_sasl_authid = DOLORESDC$
On Sun, Apr 28, 2013 at 05:31:41PM +0200, steve wrote:
On 04/28/2013 04:12 PM, Simo Sorce wrote:
On Sun, 2013-04-28 at 13:31 +0200, steve wrote:
On 04/27/2013 07:54 PM, Lukas Slebodnik wrote:
On (27/04/13 19:44), steve wrote:
On 27/04/13 17:39, Simo Sorce wrote:
On Sat, 2013-04-27 at 10:46 +0200, steve wrote: >On 27/04/13 03:54, Simo Sorce wrote: >>On Sat, 2013-04-27 at 00:44 +0200, steve wrote: >>>Hi >>>1.9.4 Ubuntu 13.04 >>> >>>We have this in sssd.conf: >>> >>>ldap_sasl_mech = gssapi >>>ldap_sasl_authid = HH16$ >>>ldap_krb5_keytab = /etc/krb5.keytab >>>ldap_krb5_init_creds = true >>> >>>but no krb5cc_xxxx file appears in /tmp when we start sssd >>> >>>This works OK with openSUSE with te same config. >>> >>>How can we get sssd to produce the cache file as expected? >>The ccache file for sssd itself is in /var/lib/sss/db/ccache_<REALM> >> >>Simo. >> >>Hi >>Thanks, but: >>klist -k ccache_HH3.SITE >>Keytab name: FILE:ccache_HH3.SITE this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
Yes. I feel so stupid. It's not recognised though. Other apps expect it to be under /tmp and be called krb5cc_0
If you want to store credential caches in /tmp, you should override default value of variable krb5_ccachedir.
On fedora 18 default value of krb5_ccachedir is "/run/user/%U"
Look to "man sssd-krb5" for detailed description.
LS
Hi OK, I changed sssd conf to this:
ldap_sasl_mech = gssapi ldap_sasl_authid = DOLORESDC$ krb5_ccachedir = /tmp ldap_krb5_keytab = /etc/krb5.keytab krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX ldap_krb5_init_creds = true
These options are only for user caches. Not for sssd's own machine ccache
I expect to get a cache at: /tmp/krb5cc_0
But I don't. Instead, the cache appears at /var/lib/sss/db/ccache_DOLORES.SITE. I've tried %u instead of %U. Do I have the correct syntax?
The syntax is correct, but will not affect the machine ccache. It's path is hard coded to /var/lib/sss/db/ccache_<REALM>
Simo.
Hi OK, so for the machine cache it is hard coded. What about if I change:
ldap_sasl_authid = Administrator
IOW, not the machine key? Do I get a cache under /tmp then?
No, you won't, the path is hardcoded
If not, could you tell me the syntax to have sssd running as root and when it starts to have it's cache in /tmp/krb5cc_0 ??
There is no way to do this.
Why do you need the ccache in /tmp?
If other applications expect the ccache to be there (why?) they can kinit themselves, or you can run kinit on their behalf in a shell script via cron.
ldap_sasl_authid = Administrator
IOW, not the machine key? Do I get a cache under /tmp then?
No, you won't, the path is hardcoded
If not, could you tell me the syntax to have sssd running as root and when it starts to have it's cache in /tmp/krb5cc_0 ??
There is no way to do this.
Why do you need the ccache in /tmp?
For krb5 cifs. The automounter looks for krb5cc_0 in /tmp
If other applications expect the ccache to be there (why?) they can kinit themselves, or you can run kinit on their behalf in a shell script via cron.
Yes, I see that now. It's just me being lazy. I need to write a cron to kinit to keep the root cache alive for the automounter and leave sssd to get on with its own job.
Thanks.
BTW, do we mark threads as [solved] on this list?
On Sun, 28 Apr 2013, steve wrote:
For krb5 cifs. The automounter looks for krb5cc_0 in /tmp
If other applications expect the ccache to be there (why?) they can kinit themselves, or you can run kinit on their behalf in a shell script via cron.
Yes, I see that now. It's just me being lazy. I need to write a cron to kinit to keep the root cache alive for the automounter and leave sssd to get on with its own job.
If you just write a cron job, you may find that the cache doesn't exist when the automounter needs it, as the cron job may have no yet run.
I feel distinctly unclean doing this, but I just added a couple of lines to /etc/sysconfig/autofs to create the necessary ticket and set the selinux context appropriately.
jh
On 04/29/2013 10:09 AM, John Hodrien wrote:
On Sun, 28 Apr 2013, steve wrote:
For krb5 cifs. The automounter looks for krb5cc_0 in /tmp
If other applications expect the ccache to be there (why?) they can kinit themselves, or you can run kinit on their behalf in a shell script via cron.
Yes, I see that now. It's just me being lazy. I need to write a cron to kinit to keep the root cache alive for the automounter and leave sssd to get on with its own job.
If you just write a cron job, you may find that the cache doesn't exist when the automounter needs it, as the cron job may have no yet run.
I feel distinctly unclean doing this, but I just added a couple of lines to /etc/sysconfig/autofs to create the necessary ticket and set the selinux context appropriately.
Hi I've got as far as creating the root ticket in /etc/init.d/boot.local which seems to be ok as it happens before anyone hits the automounter. On our system, that'll keep autofs happy for 10 hours so I suppose the cron would need to be set to run at 9 hour 59 minute intervals. Normally the client would have been rebooted by then, but I'd like to be able to just forget about it. Could you share your 2 liner autofs script? I guess it would be a kinit -k <some key> but I'm new to all this. Cheers.
On Mon, 29 Apr 2013, steve wrote:
Hi I've got as far as creating the root ticket in /etc/init.d/boot.local which seems to be ok as it happens before anyone hits the automounter. On our system, that'll keep autofs happy for 10 hours so I suppose the cron would need to be set to run at 9 hour 59 minute intervals. Normally the client would have been rebooted by then, but I'd like to be able to just forget about it. Could you share your 2 liner autofs script? I guess it would be a kinit -k <some key> but I'm new to all this.
In my case it was:
kinit -k nfs/$HOSTNAME -c /tmp/krb5cc_machine_KRB5_DOMAIN chcon -t gssd_tmp_t /tmp/krb5cc_machine_KRB5_DOMAIN
I wasn't clear that there was an easy way to preset the context, so used chcon after the event.
Also, why not renew hourly, rather than cut it fine?
jh
On 04/28/2013 05:31 PM, steve wrote:
On 04/28/2013 04:12 PM, Simo Sorce wrote:
On Sun, 2013-04-28 at 13:31 +0200, steve wrote:
On 04/27/2013 07:54 PM, Lukas Slebodnik wrote:
On (27/04/13 19:44), steve wrote:
On 27/04/13 17:39, Simo Sorce wrote:
On Sat, 2013-04-27 at 10:46 +0200, steve wrote: > On 27/04/13 03:54, Simo Sorce wrote: >> On Sat, 2013-04-27 at 00:44 +0200, steve wrote: >>> Hi >>> 1.9.4 Ubuntu 13.04 >>> >>> We have this in sssd.conf: >>> >>> ldap_sasl_mech = gssapi >>> ldap_sasl_authid = HH16$ >>> ldap_krb5_keytab = /etc/krb5.keytab >>> ldap_krb5_init_creds = true >>> >>> but no krb5cc_xxxx file appears in /tmp when we start sssd >>> >>> This works OK with openSUSE with te same config. >>> >>> How can we get sssd to produce the cache file as expected? >> The ccache file for sssd itself is in >> /var/lib/sss/db/ccache_<REALM> >> >> Simo. >> >> Hi >> Thanks, but: >> klist -k ccache_HH3.SITE >> Keytab name: FILE:ccache_HH3.SITE this is ^^not^^ a keytab (-k) it's a ccache. Just do klist ccache_HH3.SITE
Yes. I feel so stupid. It's not recognised though. Other apps expect it to be under /tmp and be called krb5cc_0
If you want to store credential caches in /tmp, you should override default value of variable krb5_ccachedir.
On fedora 18 default value of krb5_ccachedir is "/run/user/%U"
Look to "man sssd-krb5" for detailed description.
LS
Hi OK, I changed sssd conf to this:
ldap_sasl_mech = gssapi ldap_sasl_authid = DOLORESDC$ krb5_ccachedir = /tmp ldap_krb5_keytab = /etc/krb5.keytab krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX ldap_krb5_init_creds = true
These options are only for user caches. Not for sssd's own machine ccache
I expect to get a cache at: /tmp/krb5cc_0
But I don't. Instead, the cache appears at /var/lib/sss/db/ccache_DOLORES.SITE. I've tried %u instead of %U. Do I have the correct syntax?
The syntax is correct, but will not affect the machine ccache. It's path is hard coded to /var/lib/sss/db/ccache_<REALM>
Simo.
Hi OK, so for the machine cache it is hard coded. What about if I change:
ldap_sasl_authid = Administrator
IOW, not the machine key? Do I get a cache under /tmp then?
Hi,
I'm not sure if I understand your situation correctly, but it seems to me that this could be solvable by creating a symlink pointing from /tmp/krb5_cc to /var/lib/sss/db/ccache. We just tried it with Lukas, and it works as i expected.
If not, could you tell me the syntax to have sssd running as root and when it starts to have it's cache in /tmp/krb5cc_0 ??
Thanks for your patience.
ldap_sasl_authid = DOLORESDC$
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Mon, 29 Apr 2013, Ondrej Kos wrote:
Hi,
I'm not sure if I understand your situation correctly, but it seems to me that this could be solvable by creating a symlink pointing from /tmp/krb5_cc to /var/lib/sss/db/ccache. We just tried it with Lukas, and it works as i expected.
Would SELinux throw a spanner in the works? I've not needed this for cifs, as sec=krb5,multiuser seems to remove the need for the machine credential.
jh
On 04/29/2013 12:55 PM, John Hodrien wrote:
On Mon, 29 Apr 2013, Ondrej Kos wrote:
Hi,
I'm not sure if I understand your situation correctly, but it seems to me that this could be solvable by creating a symlink pointing from /tmp/krb5_cc to /var/lib/sss/db/ccache. We just tried it with Lukas, and it works as i expected.
Nope, I'm afraid not. The symlink doesn't work. It has to be a real file.
Would SELinux throw a spanner in the works? I've not needed this for cifs, as sec=krb5,multiuser seems to remove the need for the machine credential.
John, that's not what we find. The whole reason we have this problem is that for us, nothing gets mounted unless there's a root cache at /tmp multiuser or not. Th only reason we use multiuser is to make cifs behave like nfs in that the uid:gid who creates the file is that of the user who is logged in and not the guy who mounted the share.
It looks like the cron to keep the ticket alive is the way to go and I take your point. Hourly seems fine. The idea is that cifs on the client stays alive for as long as the box is booted, not until the ticket expires. There's aother utility called k5start which may be another solution. It's designed to maintain long running processes. I've used it with nslcd. Cheers, Steve
I think the ony solution
On 04/29/2013 09:30 AM, steve wrote:
On 04/29/2013 12:55 PM, John Hodrien wrote:
On Mon, 29 Apr 2013, Ondrej Kos wrote:
Hi,
I'm not sure if I understand your situation correctly, but it seems to me that this could be solvable by creating a symlink pointing from /tmp/krb5_cc to /var/lib/sss/db/ccache. We just tried it with Lukas, and it works as i expected.
Nope, I'm afraid not. The symlink doesn't work. It has to be a real file.
Would SELinux throw a spanner in the works? I've not needed this for cifs, as sec=krb5,multiuser seems to remove the need for the machine credential.
John, that's not what we find. The whole reason we have this problem is that for us, nothing gets mounted unless there's a root cache at /tmp multiuser or not. Th only reason we use multiuser is to make cifs behave like nfs in that the uid:gid who creates the file is that of the user who is logged in and not the guy who mounted the share.
It looks like the cron to keep the ticket alive is the way to go and I take your point. Hourly seems fine. The idea is that cifs on the client stays alive for as long as the box is booted, not until the ticket expires. There's aother utility called k5start which may be another solution. It's designed to maintain long running processes. I've used it with nslcd.
Have you looked at GSS proxy? It goal is to provide the separation of duties and automatic ticket renewal. It is in F19 now. https://fedoraproject.org/wiki/Features/gss-proxy This is the direction we are going to solve the problem of the ticket renewal.
Cheers, Steve
I think the ony solution _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On 29/04/13 19:11, Dmitri Pal wrote:
On 04/29/2013 09:30 AM, steve wrote:
On 04/29/2013 12:55 PM, John Hodrien wrote:
On Mon, 29 Apr 2013, Ondrej Kos wrote:
Hi,
I'm not sure if I understand your situation correctly, but it seems to me that this could be solvable by creating a symlink pointing from /tmp/krb5_cc to /var/lib/sss/db/ccache. We just tried it with Lukas, and it works as i expected.
Nope, I'm afraid not. The symlink doesn't work. It has to be a real file.
Would SELinux throw a spanner in the works? I've not needed this for cifs, as sec=krb5,multiuser seems to remove the need for the machine credential.
John, that's not what we find. The whole reason we have this problem is that for us, nothing gets mounted unless there's a root cache at /tmp multiuser or not. Th only reason we use multiuser is to make cifs behave like nfs in that the uid:gid who creates the file is that of the user who is logged in and not the guy who mounted the share.
It looks like the cron to keep the ticket alive is the way to go and I take your point. Hourly seems fine. The idea is that cifs on the client stays alive for as long as the box is booted, not until the ticket expires. There's aother utility called k5start which may be another solution. It's designed to maintain long running processes. I've used it with nslcd.
Have you looked at GSS proxy? It goal is to provide the separation of duties and automatic ticket renewal. It is in F19 now. https://fedoraproject.org/wiki/Features/gss-proxy This is the direction we are going to solve the problem of the ticket renewal.
Thanks for that. I'll certainly have a look. Anything would be better than our roll your own cron.hourly kinit workaround. Cheers and thanks fr all the help.
On Sat, Apr 27, 2013 at 07:54:51PM +0200, Lukas Slebodnik wrote:
If you want to store credential caches in /tmp, you should override default value of variable krb5_ccachedir.
On fedora 18 default value of krb5_ccachedir is "/run/user/%U"
Look to "man sssd-krb5" for detailed description.
These options only affect the ccaches generated by the krb5_child, not the ldap_child.
sssd-devel@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
John Hodrien -
Lukas Slebodnik -
Ondrej Kos -
Simo Sorce -
steve