On Tue, Jan 05, 2016 at 11:40:50AM +0100, Andy Airey wrote:
I'm sorry, but it looks like SSSD is having trouble reading
/etc/krb5.keytab when msktutil has been run.
On a machine with a good keytab you get the following when issuing klist
'/etc/krb5.keytab'
While it is of course possible that SSSD has issues reading the
keytab[1] it is as John said. If you want to read a keytab you have to
use 'klist -k' because by default klist expects a credential cache (a
storage for tickets) and not a keytab (a storage for keys).
[1] Do you see any evidence in the SSSD logs that there a issues reading
the keytab? If any I would expect that SSSD picks the wrong key for some
operations. This might happen in an environment like AD with multiple
different domains and realms. Here SSSD might not be able to find a key
for given realm and might pick the first or last entry from the keytab
and try this. Since msktutil might add the new keys in a different order
it might be possible that it might work for some time and fails after
msktutil is run. But as said before, to be sure the SSSD logs must be
inspected.
bye,
Sumit
> klist: End of credential cache reached
>
Regards,
Andy
On 5 January 2016 at 11:24, John Hodrien <J.H.Hodrien(a)leeds.ac.uk> wrote:
> On Tue, 5 Jan 2016, Andy Airey wrote:
>
> Hello,
>>
>> I am getting the same errors in syslog on CentOS 6.7 and 7.1.
>>
>> When I issue a plain 'klist /etc/krb5.keytab' I get the following:
>>
>> klist: Bad format in credentials cache
>>>
>>
>> However 'klist -ke' and the like are working, I was wondering if you
are
>> seeing the same Neil?
>> Maybe because of this bad format, sssd cannot read it and thus it is an
>> msktutil issue?
>> Maybe we can circumvent this by using some option with msktutil?
>>
>
> That's not in any way broken, surely?
>
> klist -k some.keytab
> klist some.keycache
> klist -c some.keycache
>
> The output of kinit is a cache, the contents of a keytab are not.
>
> jh
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org