My test was via ssh from another node. I purged the caches (rm /var/lib/sss/db/*
/var/lib/sss/mb/*) and restarted, but no change. It looks like a new krb5ccache file is
created on every login.
Obfuscated sample:
$ssh XXX (using Kerberos)
$ klist
Ticket cache: FILE:/tmp/krb5cc_NNNN_wI6zZjSxdS
$logut
$ssh XXX (using Kerberos)
$klist
Ticket cache: FILE:/tmp/krb5cc_NNNN_kf650rCodT
Jay
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek@redhat.com]
Sent: Thursday, February 4, 2016 5:23 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: Kerberos Cred Cache name with Active Directory
On Thu, Feb 04, 2016 at 09:29:02AM +0100, Lukas Slebodnik wrote:
On (04/02/16 04:46), Jay McCanta wrote:
>I would like to change where sssd creates the krb5 credential cache when using AD for
authentication.
>It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>.
>We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04).
>I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but
that didn't change where the cache got create. Below is the sssd.conf file. Is this
possible with the AD provider?
>
>Jay McCanta
>F5 Networks, Inc.
>
>[sssd]
>config_file_version = 2
>domains =
example.com
>services = nss, pam
>debug_level = 3
>
>[nss]
>
>[pam]
>debug_level = 3
>
>[domain/example.com]
>id_provider = ad
>auth_provider = ad
>access_provider = ad
>ldap_id_mapping = False
>krb5_ccachedir=/var/run
>krb5_ccname_template=FILE:%d/krb5cc_%U
>
The configuration looks good to me?
How did you test it?
ssh? "su", "su -" ...
I'm not 100% sure about all the use-cases (and currently no time to test, sadly), but
I remember that sssd stores the ccache in the ldb cache and tries to reuse the existing
one. So chances are you might need to clear the cache (and please make sure you're
doing this while connected to the network, the cache also contains the cached passwords)
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org