Hello everyone,
I cannot get kernel keyring caches to work with Ubuntu Trusty (when
copying a fully working configuration from openSUSE 13.2).
Scenario:
===========================
I am trying to use persistent kernel keyring ccaches with Ubuntu Trusty,
which comes with
- SSSD 1.11.x
- MIT kerberos libs 1.12.x
- Kernel 3.13.x
All these components should support kernel keyring ccaches. Is this correct?
In order to debug the problem, I updated SSSD to 1.12.5 and the kernel
to 3.19. But still the problem persists, thus I'm asking for help here...
Setup:
===========================
I enable persistent keyring ccaches like so in /etc/krb5.conf:
--------------
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
--------------
Symptoms:
============================
First of all, none of the problems described next occur when using FILE
ccaches (default setting).
I can log into the machine, but no ccache is created for my user, see
--------------
Could not chdir to home directory /home/<user>: Permission denied
/usr/bin/xauth: timeout in locking authority file /home/<user>/.Xauthority
-bash: /home/<user>/.bash_profile: Permission denied
$ echo $KRB5CCNAME
KEYRING:persistent:3036404
$ klist
klist: No credentials cache found while retrieving principal name
--------------
Doing a manual kinit now does create the ccache successfully:
--------------
$ klist
klist: No credentials cache found while retrieving principal name
$ kinit
Password for username@REALM:
$ klist
Ticket cache: KEYRING:persistent:3036404:3036404
Default principal: username@REALM
Valid starting Expires Service principal
11/07/2015 13:58:23 11/07/2015 23:58:23 krbtgt/REALM@REALM
renew until 11/14/2015 13:58:21
--------------
But note the strange ccache name with twice the UID. This looks not
right. I am expecting something like
"KEYRING:persistent:3036404:krb_ccache_RANDOM" ...
Logs of SSSD 1.12.5 and using Kernel 3.19. on Trusty:
============================
- krb5_child.log:
http://paste.opensuse.org/view/raw/eb52751d
- strace of backend process:
http://paste.opensuse.org/view/raw/85f09d65
I obfuscated parts of the logs, removing my username, realm, hostname
and domainname.
The strace shows some interesting keyctl errors:
ENOKEY (Required key not available)
Thanks for any suggestions on how to fix the problem!
- J Brauchle