On Wed, Jun 05, 2013 at 09:37:28AM +0200, Lukas Slebodnik wrote:
> On (02/06/13 23:14), Jakub Hrozek wrote:
> >On Sat, 2013-06-01 at 11:43 +0200, Lukas Slebodnik wrote:
> >> On (31/05/13 21:29), Jakub Hrozek wrote:
> >> >On Wed, 2013-05-29 at 16:09 +0200, Lukas Slebodnik wrote:
> >> >> On (29/05/13 08:44), Simo Sorce wrote:
> >> >> >On Wed, 2013-05-29 at 11:30 +0200, Lukas Slebodnik wrote:
> >> >> >> On (29/05/13 11:07), Lukas Slebodnik wrote:
> >> >> >> >ehlo,
> >> >> >> >
> >> >> >> >Function krb5_cc_get_full_name is called only as a way
to validate that,
> >> >> >> >we have the right cache. Instead of returned name,
location will be returned
> >> >> >> >from function cc_dir_cache_for_princ.
> >> >> >> >
> >> >> >> >https://fedorahosted.org/sssd/ticket/1936
> >> >> >> >
> >> >> >> >Patch is attached.
> >> >> >> >
> >> >> >> >LS
> >> >> >>
> >> >> >> self NACK
> >> >> >>
> >> >> >> this patch store to cache DIR:/run/user/325600000/krb5cc
> >> >> >> ^^^^
> >> >> >> missing colon?
> >> >> >
> >> >> >No, this is the correct form.
> >> >> I found out, that it is a correct form.
> >> >> Problem was with checking ccname in function
sss_krb5_cc_file_path.
> >> >>
> >> >> New patches attached.
> >> >>
> >> >> LS
> >> >
> >> >Sorry for the reply from gmail. My OTP token decided the best password
> >> >for me on a Friday evening is "Err", so I can't access my
redhat.com
> >> >account at the moment.
> >> >
> >> >These patches break one assumption we want to keep -- if there is a
user
> >> >logged in and the same user logs in for example from another terminal,
> >> >they should have the same ccache. With your patches, I'm getting a
new
> >> >one when I log in simultaneously.
> >> >
> >> >I haven't tested that, but I guess this is because path to
collection is
> >> >always passed to the krb5_child now. I think that in the case user is
> >> >already logged in (in krb5 code we denote this with "ccache is
active"),
> >> >then you should pass the full path to the ccache to the krb5_child.
> >> >
> >> Simo wrote in ticket comment
(
https://fedorahosted.org/sssd/ticket/1936#comment:10)
> >>
> >> > Do we really want to store only DIR:/run/user/$uid/krb5cc/ to
cache?
> >> Yes, this is exactly what we want as a ccache.
> >>
> >> LS
> >
> >Yes, I saw that comment and I agree with Simo.
> >
> >But I think we should examine the ccache collection and in the case
> >there already is a valid cache present there, we should reuse it just
> >like we did before.
> >
>
> I did not realize, that new ccache is created after another login.
> Thank you for review.
>
> Updated patches are attached.
>
> LS
I'm afraid the detection works too well :-)
I tested with an expired ccache:
$ sudo klist /run/user/208800000/ccdir/tktGihEUV
Ticket cache: FILE:/run/user/208800000/ccdir/tktGihEUV
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/07/2013 14:57:16 06/08/2013 14:57:16 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
^^^^^^^^^^^^^^^^^^
only valid until 8th of July
renew until 06/14/2013 14:57:16
And SSSD assigned me this ccache. I would expect that if there already
is a ccache for the user, but it is expired (there is a function in the
krb5 provider that checks if ccache is valid and active), then it would
be overwritten with a fresh one.