On 10/15/2014 02:58 PM, Lukas Slebodnik wrote:
On (15/10/14 14:37), Joschi Brauchle wrote:
> We have a weird problem with the KRB5CCNAME environment variable that seems
> to be an SSSD bug.
>
> Configuration:
> ------------ /etc/sssd/sssd.conf ------------
> ...
> # Set CCache to Kerberos default
> krb5_ccachedir = /run/user/%U
> krb5_ccname_template = DIR:%d/krb5cc
> ...
> ------------ /etc/sssd/sssd.conf ------------
>
> Now, user "ne96soh" logs in to the machine for the FIRST time and does a
> kerberized ldapsearch:
> ------------
> ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
> DIR:/run/user/3036404/krb5cc
> ne96soh@tueilnt-student01:~$ klist
> Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
> ...
> ne96soh@tueilnt-student01:~$ ldapsearch ...<using GSSAPI>
> ... <succeeds>
> ------------
>
> but then logs into the machine a SECOND concurrent time (i.e. leaving first
> session open):
> ------------
> ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
> DIR::/run/user/3036404/krb5cc/tktZoweZq
> ne96soh@tueilnt-student01:~$ klist
> Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
> ...
Which version of sssd do you use?
IIRC, We forced to store "DIR:/run/user/3036404/krb5cc/" into our internal
cache.
LS
BTW "DIR::/run/user/3036404/krb5cc/tktZoweZq" is valid ccache string. It means
you use just one ccache from colection.
This version "DIR:/run/user/3036404/krb5cc/" means that any ccache which is
stored in ccache collection (directory "/run/user/3036404/krb5cc/" can be
used)
As first ccache would be used primary ccache.
With KRB5CCNAME="DIR:/run/user/3036404/krb5cc/" you can call "klist
-l"
and you will see all ccaches stored in this directory.
Sorry for not specifying the SSSD version.
It is 1.9.6 (fairly old, I know).
So if "DIR::/run/user/3036404/krb5cc/tktZoweZq" is a valid ccache file,
why does the kerberized ldapsearch fail then?
I am guessing that ldapsearch just calls some other library (sasl?) to
get the krb credentials. Hence, somewhere along the chain this
"DIR::/run/user/3036404/krb5cc/tktZoweZq" is not accepted...