On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote:
On 5/10/21 5:12 PM, Joakim Tjernlund wrote:
> On Mon, 2021-05-10 at 14:53 +0000, Joakim Tjernlund wrote:
> > I decided to test new sssd/KCM and this is what I get:
> >
> > - ssh from non sssd/krb machine to new sssd machine, entered password
> > ~ $ klist
> > Ticket cache: KCM:1001
> > Default principal: jocke(a)INFINERA.COM
> >
> > Valid starting Expires Service principal
> > 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/INFINERA.COM(a)INFINERA.COM
> > renew until 17/05/21 16:47:32
> > ~ $ ksu
> > ksu: Ccache function not supported: not implemented while selecting the best
principal
> >
> > I also have mit-kr5b master installed.
> >
> > Did I miss something?
krb5 master contains:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub....
but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to
its own function that was used before this commit.
hmm, not sure what to do here, downgrade mit-krb5? Then I don't get the new KCM
feature.
The trace didn't help any? Here is a ssh trace in case that helps:
KRB5_TRACE=/dev/stdout ssh devsrv
[7615] 1620662408.437070: ccselect module realm chose cache KCM:1001 with client principal
jocke(a)INFINERA.COM for server principal host/devsrv.infinera.com(a)INFINERA.COM
[7615] 1620662408.437071: Getting credentials jocke(a)INFINERA.COM ->
host/devsrv.infinera.com(a)INFINERA.COM using ccache KCM:1001
[7615] 1620662408.437072: Retrieving jocke(a)INFINERA.COM ->
krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1001 with result:
-1765328137/Ccache function not supported: not implemented
[7615] 1620662408.437073: Retrieving jocke(a)INFINERA.COM ->
host/devsrv.infinera.com(a)INFINERA.COM from KCM:1001 with result: -1765328137/Ccache
function not supported: not implemented
[7615] 1620662408.437079: ccselect module realm chose cache KCM:1001 with client principal
jocke(a)INFINERA.COM for server principal host/devsrv.infinera.com(a)INFINERA.COM
[7615] 1620662408.437080: Getting credentials jocke(a)INFINERA.COM ->
host/devsrv.infinera.com(a)INFINERA.COM using ccache KCM:1001
[7615] 1620662408.437081: Retrieving jocke(a)INFINERA.COM ->
krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1001 with result:
-1765328137/Ccache function not supported: not implemented
[7615] 1620662408.437082: Retrieving jocke(a)INFINERA.COM ->
host/devsrv.infinera.com(a)INFINERA.COM from KCM:1001 with result: -1765328137/Ccache
function not supported: not implemented
(jocke@devsrv) Password:
Jocke