10:46 p.m.
I would like to change where sssd creates the krb5 credential cache when using AD for
authentication.
It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>.
We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04).
I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but that
didn't change where the cache got create. Below is the sssd.conf file. Is this
possible with the AD provider?
Jay McCanta
F5 Networks, Inc.
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam
debug_level = 3
[nss]
[pam]
debug_level = 3
[domain/example.com]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
krb5_ccachedir=/var/run
krb5_ccname_template=FILE:%d/krb5cc_%U
2:29 a.m.
On (04/02/16 04:46), Jay McCanta wrote:
I would like to change where sssd creates the krb5 credential cache
when using AD for authentication.
It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>.
We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04).
I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but that
didn't change where the cache got create. Below is the sssd.conf file. Is this
possible with the AD provider?
Jay McCanta
F5 Networks, Inc.
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam
debug_level = 3
[nss]
[pam]
debug_level = 3
[domain/example.com]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
krb5_ccachedir=/var/run
krb5_ccname_template=FILE:%d/krb5cc_%U
The configuration looks good to me?
How did you test it?
ssh? "su", "su -" ...
LS
7:22 a.m.
On Thu, Feb 04, 2016 at 09:29:02AM +0100, Lukas Slebodnik wrote:
On (04/02/16 04:46), Jay McCanta wrote:
>I would like to change where sssd creates the krb5 credential cache when using AD for
authentication.
>It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>.
>We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04).
>I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but
that didn't change where the cache got create. Below is the sssd.conf file. Is this
possible with the AD provider?
>
>Jay McCanta
>F5 Networks, Inc.
>
>[sssd]
>config_file_version = 2
>domains = example.com
>services = nss, pam
>debug_level = 3
>
>[nss]
>
>[pam]
>debug_level = 3
>
>[domain/example.com]
>id_provider = ad
>auth_provider = ad
>access_provider = ad
>ldap_id_mapping = False
>krb5_ccachedir=/var/run
>krb5_ccname_template=FILE:%d/krb5cc_%U
>
The configuration looks good to me?
How did you test it?
ssh? "su", "su -" ...
I'm not 100% sure about all the use-cases (and currently no time to test,
sadly), but I remember that sssd stores the ccache in the ldb cache and
tries to reuse the existing one. So chances are you might need to clear
the cache (and please make sure you're doing this while connected to the
network, the cache also contains the cached passwords)
10:14 a.m.
My test was via ssh from another node. I purged the caches (rm /var/lib/sss/db/*
/var/lib/sss/mb/*) and restarted, but no change. It looks like a new krb5ccache file is
created on every login.
Obfuscated sample:
$ssh XXX (using Kerberos)
$ klist
Ticket cache: FILE:/tmp/krb5cc_NNNN_wI6zZjSxdS
$logut
$ssh XXX (using Kerberos)
$klist
Ticket cache: FILE:/tmp/krb5cc_NNNN_kf650rCodT
Jay
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek@redhat.com]
Sent: Thursday, February 4, 2016 5:23 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: Kerberos Cred Cache name with Active Directory
On Thu, Feb 04, 2016 at 09:29:02AM +0100, Lukas Slebodnik wrote:
On (04/02/16 04:46), Jay McCanta wrote:
>I would like to change where sssd creates the krb5 credential cache when using AD for
authentication.
>It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>.
>We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04).
>I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but
that didn't change where the cache got create. Below is the sssd.conf file. Is this
possible with the AD provider?
>
>Jay McCanta
>F5 Networks, Inc.
>
>[sssd]
>config_file_version = 2
>domains = example.com
>services = nss, pam
>debug_level = 3
>
>[nss]
>
>[pam]
>debug_level = 3
>
>[domain/example.com]
>id_provider = ad
>auth_provider = ad
>access_provider = ad
>ldap_id_mapping = False
>krb5_ccachedir=/var/run
>krb5_ccname_template=FILE:%d/krb5cc_%U
>
The configuration looks good to me?
How did you test it?
ssh? "su", "su -" ...
I'm not 100% sure about all the use-cases (and currently no time to test, sadly), but
I remember that sssd stores the ccache in the ldb cache and tries to reuse the existing
one. So chances are you might need to clear the cache (and please make sure you're
doing this while connected to the network, the cache also contains the cached passwords)
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
11 a.m.
On (04/02/16 16:14), Jay McCanta wrote:
My test was via ssh from another node. I purged the caches (rm
/var/lib/sss/db/* /var/lib/sss/mb/*) and restarted, but no change. It looks like a new
krb5ccache file is created on every login.
Obfuscated sample:
$ssh XXX (using Kerberos)
What did you mean by using Kerberos?
Did you authenticate with ssh + krb5 ticket (gssappi)
or did you use pasword for authentication?
$ klist
Ticket cache: FILE:/tmp/krb5cc_NNNN_wI6zZjSxdS
$logut
$ssh XXX (using Kerberos)
$klist
Ticket cache: FILE:/tmp/krb5cc_NNNN_kf650rCodT
If you used password then could you provide log files from domain section
and krb5_child.log?
You will need to add "debug_level = 9" into domain section
and restart sssd + reproduce problem.
Feel free to send log files to my private mail
if you do not want to share them on lublic mailing list.
LS
3012
days inactive
3012
days old
sssd-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Jakub Hrozek -
Jay McCanta -
Lukas Slebodnik