On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
>Ronald Wimmer via FreeIPA-users wrote:
>>On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
>>>I am confronted with a relatively strange behaviour regarding ipa and
>>>automounting. We are using automounted home shares on some of our
>>>systems.
>>>
>>>On two almost identical systems I cannot chdir (permission denied) to
>>>user A's home directory on server 1 but chdir to user B's home
>>>directory works. On server 2 it is the exact opposite. On a third
>>>server chdir does not work for both users.
>>
>>A manual "kinit userA" seems to solve the problem as the user had no
>>Kerberos credentials? But why? Why was a Kerberos ticket not fetched
>>automatically?
>
>How did the user login to the system?
SSH.
Sometimes I did a "su - myIpaUser" from a root shell. Is this supposed
to work or does it only work when the user has a valid ticket (from a
previous login)?
The latter.
(Does it make a difference when I have no Kerberos ticket on the
originating system and I am forced to enter the users password upon
login? Both cases should result in obtaining a Kerberos ticket,
shouldn't they?)
It depends. A lot, actually:
- If your SSH client allows forwarding a TGT and KDC allows it too,
then login with Kerberos ticket to SSH server might give you a
working TGT on the server side. SSSD on the server side is not
involved here as Kerberos authentication is handled completely by SSH
server.
- if you login with password over SSH and you have PAM authentication
enabled in SSH server configuration, SSSD might get you a new
Kerberos ticket in the user's ccache on the server side.
In either case, 'su - ...' is not giving you any Kerberos ticket unless
it exists already in the target environment. For example, if your system
is configured to use session-specific KEYRING credentials cache
collection, then 'su - ...' will never be able to access user's ccache
from another session. A default in RHEL 7 is to use KEYRING with
persistent ccache, not session-specific one. A default in RHEL 8 is to
use KCM: which is also persistent and gives access to user's ticket from
any session he/she did open.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland