SSSD and Kerberos tickets

Stephen Gallagher sgallagh at
Wed Aug 18 12:58:57 UTC 2010

Hash: SHA1

On 08/17/2010 05:02 PM, Christoph Höger wrote:
>> If you had access to the school's LDAP setup (and I suspect they'd tell
>> you if you asked) SSSD does what you're looking for internally.
> Neither do I have access to that LDAP (though it might be technically
> possible to connect to it, this is just not a supported use case) nor do
> I want to rely on the it infrastructure of my university for my
> workstation.
>> But if I'm understanding you right, you want to just use a local login
>> and do a kinit (I don't know what 'kstart' means) when you log in.
> This is exactly what I want. It seems like pam usually can do this:
> But since fedora ships with a custom /etc/pam.d layout due to sssd
> (which, as we discussed, cannot handle that use case), I'd like to know,
> if I still (meaning with sssd in place) can apply the above mentioned
> method.
> Btw: kstart is a kinit replacement that allows running arbitrary
> commands after getting tickets.

What makes you think that SSSD would prevent this? That PAM
configuration has nothing to do with whether you can kinit after login.

That configuration in the link you specified does EXACTLY the same thing
that SSSD does: if you log in with a username that Kerberos understands,
you immediately get a ticket. If you don't (i.e. you log in with a local
account), then you can still do 'kinit', which has nothing to do with PAM.

All you need to have set up for kinit is /etc/krb5.conf

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the users mailing list