On 15.09.20 17:19, Alexander Bokovoy via FreeIPA-users wrote:
[...]
>> Â Â Kerberos ticket in the user's ccache on the server side.
>
> So. Let me try to summarize this for myself. When I want a kerberized
> NFS share to be accessible the user must have a valid Kerberos ticket,
> right? This can be either obtained through SSHD, could be delegated
> from the originating system or it could be fetched on the target
> system by SSSD. Is this correct?
More or less, yes.
I need to understand the SSH scenario a little bit better. In some cases
the user can log in via SSH properly but he gets a "permission denied"
error. I did a kinit myUser and everything worked fine. In order to
reproduce the issue I tought it would be sufficient to do a kdestroy and
try to log in via SSH again but in that case I did not get a "permission
denied" error.
klist showed no ticket
klist: Credentials cache keyring
'persistent:1246620005:krb_ccache_1fh0ssy' not found
Where is this cached? (rpcgssd? rpcidmapd?)
Cheers,
Ronald