On (15/10/14 17:00), Joschi Brauchle wrote:
On 10/15/2014 02:58 PM, Lukas Slebodnik wrote:
>On (15/10/14 14:37), Joschi Brauchle wrote:
>>We have a weird problem with the KRB5CCNAME environment variable that seems
>>to be an SSSD bug.
>>
>>Configuration:
>>------------ /etc/sssd/sssd.conf ------------
>>...
>># Set CCache to Kerberos default
>>krb5_ccachedir = /run/user/%U
>>krb5_ccname_template = DIR:%d/krb5cc
>>...
>>------------ /etc/sssd/sssd.conf ------------
>>
>>Now, user "ne96soh" logs in to the machine for the FIRST time and does
a
>>kerberized ldapsearch:
>>------------
>>ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
>>DIR:/run/user/3036404/krb5cc
>>ne96soh@tueilnt-student01:~$ klist
>>Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
>>...
>>ne96soh@tueilnt-student01:~$ ldapsearch ...<using GSSAPI>
>>... <succeeds>
>>------------
>>
>>but then logs into the machine a SECOND concurrent time (i.e. leaving first
>>session open):
>>------------
>>ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
>>DIR::/run/user/3036404/krb5cc/tktZoweZq
>>ne96soh@tueilnt-student01:~$ klist
>>Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
>>...
>Which version of sssd do you use?
>IIRC, We forced to store "DIR:/run/user/3036404/krb5cc/" into our internal
>cache.
>
>LS
>
>BTW "DIR::/run/user/3036404/krb5cc/tktZoweZq" is valid ccache string. It
means
>you use just one ccache from colection.
>
>This version "DIR:/run/user/3036404/krb5cc/" means that any ccache which is
>stored in ccache collection (directory "/run/user/3036404/krb5cc/" can be
used)
>As first ccache would be used primary ccache.
>
>With KRB5CCNAME="DIR:/run/user/3036404/krb5cc/" you can call "klist
-l"
>and you will see all ccaches stored in this directory.
Sorry for not specifying the SSSD version.
It is 1.9.6 (fairly old, I know).
old but should be stable :-)
So if "DIR::/run/user/3036404/krb5cc/tktZoweZq" is a valid
ccache file, why
does the kerberized ldapsearch fail then?
I am guessing that ldapsearch just calls some other library (sasl?) to get
the krb credentials. Hence, somewhere along the chain this
"DIR::/run/user/3036404/krb5cc/tktZoweZq" is not accepted...
Here is an upstream ticket
https://fedorahosted.org/sssd/ticket/2002
The patch was backported just to the branch sssd-1.10 and never into sssd-1.9
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=f65eb572cbc8796fefa...
If you want you can patch it yourself.
LS