On 04/11/2013 08:40 AM, Stephen Gallagher wrote:
Our default behavior on modern systems is actually to store the kerberos credential cache in volatile storage (a tmpfs on Fedora). This is intentional as a security precaution, as it means that on reboot you need to have human intervention in order to gain network access again. This can be changed in sssd.conf by setting the krb5_ccachedir option to point to somewhere persistent.
We create that special cache file in order to play better with other kerberos-enabled applications (such as krb5-auth-dialog) which would otherwise try to create their own cache in a location that SSSD couldn't be aware of. So we generate a cache file, populate it with intentionally expired data and then establish the user's session with the KRB5CCNAME environment variable set to point to it for the benefit of those other kerberized apps.
That makes sense, I was overlooking the security vulnerability that caching a (potentially) still valid credential would present.
If this is a single-user machine, we recommend enabling the (disabled-by-default) option krb5_store_password_if_offline (set it to True). What this does is temporarily store your plaintext password in the kernel keyring until SSSD detects that it has gone "online". This may take as much as two minutes on some systems (though it may be close to instantaneous when using VPN, as we monitor for changes in the network and DNS resolver state as a cue to try reconnecting to LDAP). Then the SSSD will kinit on your behalf and update that stale cache.
Also, locking your screen and unlocking it with your password is a less-invasive way to force a kinit as well, rather than logging out and back in.
Both good suggestions, thanks.
/Harry