[Freeipa-users] Re: ipa client autofs issue

On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote: > On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote: >>>> I am confronted with a relatively strange behaviour regarding ipa and >>>> automounting. We are using automounted home shares on some of our >>>> systems. >>>> >>>> On two almost identical systems I cannot chdir (permission denied) to >>>> user A's home directory on server 1 but chdir to user B's home >>>> directory works. On server 2 it is the exact opposite. On a third >>>> server chdir does not work for both users. >>> >>> A manual "kinit userA" seems to solve the problem as the user had no >>> Kerberos credentials? But why? Why was a Kerberos ticket not fetched >>> automatically? >> >> How did the user login to the system? > > SSH. > > Sometimes I did a "su - myIpaUser" from a root shell. Is this supposed > to work or does it only work when the user has a valid ticket (from a > previous login)? The latter. > (Does it make a difference when I have no Kerberos ticket on the > originating system and I am forced to enter the users password upon > login? Both cases should result in obtaining a Kerberos ticket, > shouldn't they?) It depends. A lot, actually:  - If your SSH client allows forwarding a TGT and KDC allows it too,    then login with Kerberos ticket to SSH server might give you a    working TGT on the server side. SSSD on the server side is not    involved here as Kerberos authentication is handled completely by SSH    server.  - if you login with password over SSH and you have PAM authentication    enabled in SSH server configuration, SSSD might get you a new    Kerberos ticket in the user's ccache on the server side.