On Wed, Oct 15, 2014 at 05:45:39PM +0200, Lukas Slebodnik wrote:
On (15/10/14 17:00), Joschi Brauchle wrote:
>On 10/15/2014 02:58 PM, Lukas Slebodnik wrote:
>>On (15/10/14 14:37), Joschi Brauchle wrote:
>>>We have a weird problem with the KRB5CCNAME environment variable that seems
>>>to be an SSSD bug.
>>>
>>>Configuration:
>>>------------ /etc/sssd/sssd.conf ------------
>>>...
>>># Set CCache to Kerberos default
>>>krb5_ccachedir = /run/user/%U
>>>krb5_ccname_template = DIR:%d/krb5cc
>>>...
>>>------------ /etc/sssd/sssd.conf ------------
>>>
>>>Now, user "ne96soh" logs in to the machine for the FIRST time and
does a
>>>kerberized ldapsearch:
>>>------------
>>>ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
>>>DIR:/run/user/3036404/krb5cc
>>>ne96soh@tueilnt-student01:~$ klist
>>>Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
>>>...
>>>ne96soh@tueilnt-student01:~$ ldapsearch ...<using GSSAPI>
>>>... <succeeds>
>>>------------
>>>
>>>but then logs into the machine a SECOND concurrent time (i.e. leaving first
>>>session open):
>>>------------
>>>ne96soh@tueilnt-student01:~$ echo $KRB5CCNAME
>>>DIR::/run/user/3036404/krb5cc/tktZoweZq
>>>ne96soh@tueilnt-student01:~$ klist
>>>Ticket cache: DIR::/run/user/3036404/krb5cc/tktZoweZq
>>>...
>>Which version of sssd do you use?
>>IIRC, We forced to store "DIR:/run/user/3036404/krb5cc/" into our
internal
>>cache.
>>
>>LS
>>
>>BTW "DIR::/run/user/3036404/krb5cc/tktZoweZq" is valid ccache string.
It means
>>you use just one ccache from colection.
>>
>>This version "DIR:/run/user/3036404/krb5cc/" means that any ccache
which is
>>stored in ccache collection (directory "/run/user/3036404/krb5cc/" can
be used)
>>As first ccache would be used primary ccache.
>>
>>With KRB5CCNAME="DIR:/run/user/3036404/krb5cc/" you can call
"klist -l"
>>and you will see all ccaches stored in this directory.
>
>
>Sorry for not specifying the SSSD version.
>It is 1.9.6 (fairly old, I know).
>
old but should be stable :-)
>So if "DIR::/run/user/3036404/krb5cc/tktZoweZq" is a valid ccache file,
why
>does the kerberized ldapsearch fail then?
>
>I am guessing that ldapsearch just calls some other library (sasl?) to get
>the krb credentials. Hence, somewhere along the chain this
>"DIR::/run/user/3036404/krb5cc/tktZoweZq" is not accepted...
>
Here is an upstream ticket
https://fedorahosted.org/sssd/ticket/2002
The patch was backported just to the branch sssd-1.10 and never into sssd-1.9
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=f65eb572cbc8796fefa...
If you want you can patch it yourself.
Speaking of, our front pages still states the LTM release is 1.9.6.
While technically, this is true because we never announced that LTM from
now on is 1.11, it really doesn't reflect the reality either.
I suggest we should (after releasing the upcoming 1.12.x releases!) do a
1.9.7 with what's been commited to sssd-1-9 since 1.9.6, announce it's
the last 1.9 release and 1.11 is the new stable.
I also think that 1.11.7 is the first upstream release from sssd-1-11 that
could be compared to 1.9.6 quality-wise.