# This file should normally be installed by your distribution into a# directory that is included from the Kerberos configuration file (/etc/krb5.conf)# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/## To enable the KCM credential cache enable the KCM socket and the service:# systemctl enable sssd-kcm.socket# systemctl start sssd-kcm.socket## To disable the KCM credential cache, comment out the following lines.[libdefaults]default_ccache_name = KCM:
# export KRB5CCNAME="FILE:/tmp/krb5cc_0"
# kinit -k
Hi Spike,During the upgrade KCM was not updated. How was the upgrade done? Just a simple `dnf upgrade` or something more complex?There is a /usr/libexec/sssd/sssd_kcm file that belongs to no RPM. Are you sure there were no errors during the update? No KCM RPM installed, even the previous version?Once the RPM is manually installed, KCM successfully starts. Does `kinit` still fail at this point? If KCM fails to start, it is normal that `kinit` also fails if it is configured to use KCM.AlejandroOn Wed, Jan 10, 2024 at 11:02 PM Spike White <spikewhitetx@gmail.com> wrote:--All,Is there a packaging problem on the latest version of RHEL8 sssd?On several of our RHEL8 servers during the last update cycle, sssd logins start failing. It appears to be when upgrading to version sssd-2.9.1-4.0.1.el8_9.x86_64.Upon deep dive, it turns out the sssd-kcm RPM is missing.The sssd-kcm service fails to start, complaining about missing symbols in /usr/libexec/sssd_kcm file.Sure enough, there is a problem with that file:[root@mftplat1wplp105 ~]# rpm -qf /usr/libexec/sssd/sssd_kcm
file /usr/libexec/sssd/sssd_kcm is not owned by any package
Once the sssd-kcm RPM is installed, then this looks normal:
[root@mftplat1wplp105 ~]# rpm -qf /usr/libexec/sssd/sssd_kcm
sssd-kcm-2.9.1-4.0.1.el8_9.x86_64
Then sssd-kcm service will restart fine. and then sssd logins again work fine.
Also, it appears that a yum downgrade of sssd seems to work too -- presumably because this downgrade also triggers an install of sssd-kcm RPM.
I see that the sssd RPM has no direct explicit RPM dependency on sssd-kcm. But is there some indirect or implied dependency that was missed on this latest packaging for sssd-2.9.1-4.0.1.el8_9.x86_64?
We've run sssd for years and never had significant sssd-kcm problems until last month.
BTW, another clue that it was KCM is that 'kinit -k' fails with error:
# knit -k
Cannot update default cache
But if you tell it to store creds under /tmp, it works:
# export KRB5CCNAME="FILE:/tmp/krb5cc_0"
# kinit -k
Spike
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
----Alejandro
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue