I would like to change where sssd creates the krb5 credential cache when using AD for authentication. It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>. We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04). I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but that didn't change where the cache got create. Below is the sssd.conf file. Is this possible with the AD provider?
Jay McCanta F5 Networks, Inc.
[sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 3
[nss]
[pam] debug_level = 3
[domain/example.com] id_provider = ad auth_provider = ad access_provider = ad ldap_id_mapping = False krb5_ccachedir=/var/run krb5_ccname_template=FILE:%d/krb5cc_%U
On (04/02/16 04:46), Jay McCanta wrote:
I would like to change where sssd creates the krb5 credential cache when using AD for authentication. It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>. We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04). I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but that didn't change where the cache got create. Below is the sssd.conf file. Is this possible with the AD provider?
Jay McCanta F5 Networks, Inc.
[sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 3
[nss]
[pam] debug_level = 3
[domain/example.com] id_provider = ad auth_provider = ad access_provider = ad ldap_id_mapping = False krb5_ccachedir=/var/run krb5_ccname_template=FILE:%d/krb5cc_%U
The configuration looks good to me?
How did you test it? ssh? "su", "su -" ...
LS
On Thu, Feb 04, 2016 at 09:29:02AM +0100, Lukas Slebodnik wrote:
On (04/02/16 04:46), Jay McCanta wrote:
I would like to change where sssd creates the krb5 credential cache when using AD for authentication. It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>. We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04). I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but that didn't change where the cache got create. Below is the sssd.conf file. Is this possible with the AD provider?
Jay McCanta F5 Networks, Inc.
[sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 3
[nss]
[pam] debug_level = 3
[domain/example.com] id_provider = ad auth_provider = ad access_provider = ad ldap_id_mapping = False krb5_ccachedir=/var/run krb5_ccname_template=FILE:%d/krb5cc_%U
The configuration looks good to me?
How did you test it? ssh? "su", "su -" ...
I'm not 100% sure about all the use-cases (and currently no time to test, sadly), but I remember that sssd stores the ccache in the ldb cache and tries to reuse the existing one. So chances are you might need to clear the cache (and please make sure you're doing this while connected to the network, the cache also contains the cached passwords)
My test was via ssh from another node. I purged the caches (rm /var/lib/sss/db/* /var/lib/sss/mb/*) and restarted, but no change. It looks like a new krb5ccache file is created on every login.
Obfuscated sample: $ssh XXX (using Kerberos) $ klist Ticket cache: FILE:/tmp/krb5cc_NNNN_wI6zZjSxdS $logut $ssh XXX (using Kerberos) $klist Ticket cache: FILE:/tmp/krb5cc_NNNN_kf650rCodT
Jay -----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Thursday, February 4, 2016 5:23 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Kerberos Cred Cache name with Active Directory
On Thu, Feb 04, 2016 at 09:29:02AM +0100, Lukas Slebodnik wrote:
On (04/02/16 04:46), Jay McCanta wrote:
I would like to change where sssd creates the krb5 credential cache when using AD for authentication. It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>. We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04). I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but that didn't change where the cache got create. Below is the sssd.conf file. Is this possible with the AD provider?
Jay McCanta F5 Networks, Inc.
[sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 3
[nss]
[pam] debug_level = 3
[domain/example.com] id_provider = ad auth_provider = ad access_provider = ad ldap_id_mapping = False krb5_ccachedir=/var/run krb5_ccname_template=FILE:%d/krb5cc_%U
The configuration looks good to me?
How did you test it? ssh? "su", "su -" ...
I'm not 100% sure about all the use-cases (and currently no time to test, sadly), but I remember that sssd stores the ccache in the ldb cache and tries to reuse the existing one. So chances are you might need to clear the cache (and please make sure you're doing this while connected to the network, the cache also contains the cached passwords) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (04/02/16 16:14), Jay McCanta wrote:
My test was via ssh from another node. I purged the caches (rm /var/lib/sss/db/* /var/lib/sss/mb/*) and restarted, but no change. It looks like a new krb5ccache file is created on every login.
Obfuscated sample: $ssh XXX (using Kerberos)
What did you mean by using Kerberos?
Did you authenticate with ssh + krb5 ticket (gssappi) or did you use pasword for authentication?
$ klist Ticket cache: FILE:/tmp/krb5cc_NNNN_wI6zZjSxdS $logut $ssh XXX (using Kerberos) $klist Ticket cache: FILE:/tmp/krb5cc_NNNN_kf650rCodT
If you used password then could you provide log files from domain section and krb5_child.log?
You will need to add "debug_level = 9" into domain section and restart sssd + reproduce problem.
Feel free to send log files to my private mail if you do not want to share them on lublic mailing list.
LS
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Jay McCanta -
Lukas Slebodnik