On (15/10/14 17:00), Joschi Brauchle wrote:
> On 10/15/2014 02:58 PM, Lukas Slebodnik wrote:
>> On (15/10/14 14:37), Joschi Brauchle wrote:
>>> We have a weird problem with the KRB5CCNAME environment variable that seems
>>> to be an SSSD bug.
>>>
>>> Configuration:
>>> ------------ /etc/sssd/sssd.conf ------------
>>> ...
>>> # Set CCache to Kerberos default
>>> krb5_ccachedir = /run/user/%U
>>> krb5_ccname_template = DIR:%d/krb5cc
>>> ...
>>> ------------ /etc/sssd/sssd.conf ------------
>>>
>>> Now, user "ne96soh" logs in to the machine for the FIRST time and
does a
>>> kerberized ldapsearch:
>>> ------------
>>> ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
>>> DIR:/run/user/3036404/krb5cc
>>> ne96soh@tueilnt-student01:~$ klist
>>> Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
>>> ...
>>> ne96soh@tueilnt-student01:~$ ldapsearch ...<using GSSAPI>
>>> ... <succeeds>
>>> ------------
>>>
>>> but then logs into the machine a SECOND concurrent time (i.e. leaving first
>>> session open):
>>> ------------
>>> ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
>>> DIR::/run/user/3036404/krb5cc/tktZoweZq
>>> ne96soh@tueilnt-student01:~$ klist
>>> Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
>>> ...
>> Which version of sssd do you use?
>> IIRC, We forced to store "DIR:/run/user/3036404/krb5cc/" into our
internal
>> cache.
>>
>> LS
>>
>> BTW "DIR::/run/user/3036404/krb5cc/tktZoweZq" is valid ccache string.
It means
>> you use just one ccache from colection.
>>
>> This version "DIR:/run/user/3036404/krb5cc/" means that any ccache
which is
>> stored in ccache collection (directory "/run/user/3036404/krb5cc/" can
be used)
>> As first ccache would be used primary ccache.
>>
>> With KRB5CCNAME="DIR:/run/user/3036404/krb5cc/" you can call
"klist -l"
>> and you will see all ccaches stored in this directory.
>
>
> Sorry for not specifying the SSSD version.
> It is 1.9.6 (fairly old, I know).
>
old but should be stable :-)
> So if "DIR::/run/user/3036404/krb5cc/tktZoweZq" is a valid ccache file,
why
> does the kerberized ldapsearch fail then?
>
> I am guessing that ldapsearch just calls some other library (sasl?) to get
> the krb credentials. Hence, somewhere along the chain this
> "DIR::/run/user/3036404/krb5cc/tktZoweZq" is not accepted...
>
Here is an upstream ticket
https://fedorahosted.org/sssd/ticket/2002
The patch was backported just to the branch sssd-1.10 and never into sssd-1.9
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=f65eb572cbc8796fefa...
If you want you can patch it yourself.
LS
I have ported the patch to 1.9.6. but still get the exact same behavior
as described in the original email, unfortunately.