On (15/04/15 10:40), Ola Nystrom wrote:
Ok, so I have to really remove all files. Not just use sss_cache as I
do
when I am lazy.
It works now.
[root@galaxy ~]# rm -f /var/lib/sss/mc/*
[root@galaxy ~]# rm -f /var/lib/sss/db/*
Then sssd use the config.
sss_cache -E did not do the trick.
http://pastebin.com/3KmEv61Z
Question now is, if kerberos supports KEYRING and sssd supports KEYRING why
does it not work with when sssd saved my ticket to the KEYRING on CentOS6.6
?
I'm sure what kind of system do you use.
I was not able to kinit on el6.6 with exported KEYRING ccache.
and sssd returned pam system error (I was not able to authenticate)
krb5_child.log
--------------
[sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:1239005441]
[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
[-1765328243][Can't find client principal lg-user1201-077648(a)SSSDAD.COM in cache
collection]
[create_ccache] (0x4000): Initializing ccache of type [KEYRING]
[get_and_save_tgt] (0x0020): 1029: [-1765328187][Error writing to credentials cache]
[map_krb5_error] (0x0020): 1069: [-1765328187][Error writing to credentials cache]
[k5c_send_data] (0x0200): Received error code 1432158209
[pack_response_packet] (0x2000): response packet size: [20]
sssd_sssdad.com.log
--------------
[read_pipe_handler] (0x0400): EOF received, client finished
[parse_krb5_child_response] (0x1000): child response [1432158209][6][8].
[check_wait_queue] (0x1000): Wait queue for user [lg-user1201-077648] is empty.
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
[be_pam_handler_callback] (0x0100): Sending result [
4][sssdad.com]
[be_pam_handler_callback] (0x0100): Sent result [
4][sssdad.com]
secure.log
--------------
Apr 15 04:11:32 hp-dl380pgen8-02-vm-6 su: pam_unix(su:session): session opened for user
test by root(uid=0)
Apr 15 04:11:40 hp-dl380pgen8-02-vm-6 su: pam_unix(su:auth): authentication failure;
logname=root uid=500 euid=0 tty=pts/6 ruser=test rhost=
user=lg-user1201-077648(a)sssdad.com
Apr 15 04:11:42 hp-dl380pgen8-02-vm-6 su: pam_sss(su:auth): authentication failure;
logname=root uid=500 euid=0 tty=pts/6 ruser=test rhost=
user=lg-user1201-077648(a)sssdad.com
Apr 15 04:11:42 hp-dl380pgen8-02-vm-6 su: pam_sss(su:auth): received for user
lg-user1201-077648(a)sssdad.com: 4 (System error)
shell with manually exported KRB5CCNAME=KEYRING:persistent:1239005441
--------------
[lg-user1201-077648@sssdad.com(a)test ~]$ getent passwd lg-user1201-077648(a)sssdad.com
lg-user1201-077648@sssdad.com:*:1239005441:1239000513:lg-user1201-077648:/home/sssdad.com/lg-user1201-077648:/bin/bash
[lg-user1201-077648@sssdad.com(a)test ~]$ env | grep KRB
KRB5CCNAME=KEYRING:persistent:1239005441
[lg-user1201-077648@sssdad.com(a)test ad_large_dataset]$ klist
klist: Key has been revoked while getting default ccache
Do you have default krb5 on CentOS6?
Is it a bare-metal machine, VM, or container?
LS