Hi,
Thanks for clarification - so SSSD keeps a database of user principals - if only rpc.gssd
did the same :(
One more question - can SSSD communicate with krb5-auth-dialog (possibly via DBUS) and let
it know when is the ticket no longer renewable so user action (i.e. enter password to
krb5-auth-dialog GUI) is required?
I assume it can not now - but possibly a nice feature for further releases, what do you
think?
Thanks,
Ondrej
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose
Sent: 22 October 2015 11:13
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] SSSD & Kerberos renewal
On Thu, Oct 22, 2015 at 08:52:13AM +0000, Ondrej Valousek wrote:
Hi list,
I have a question regarding Kerberos cache refresh. My observation is, that normally sssd
refreshes my cache just fine, but if I create Kerberos cache manually using kinit like
this:
$ ssh root@remote_machine
Remote_machine # su - Ondrej
Remote_machine $ kinit Ondrej
... my cache is never renewed. Is this a normal behaviour? Is there any way how to
"register" this cache with SSSD so it can take a care of it as well?
yes, this is expected because kinit gets the ticket on its own without talking to SSSD and
hence SSSD will not know where kinit will store the tickets. Instead of calling kinit you
can call 'su - Ondrej' for a second time now as user Ondrej. This will run the
full PAM stack including authentication and as a result you should have a valid ticket in
a credential cache SSSD knows about and can renew.
HTH
bye,
Sumit
Note that normally the SSSD ticket cache is created in format of:
FILE:/tmp/krb5cc_<uid>_random
Whereas kinit's is:
FILE:/tmp/krb5cc_<uid>
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.