Hi list,
I have a question regarding Kerberos cache refresh. My observation is, that normally sssd refreshes my cache just fine, but if I create Kerberos cache manually using kinit like this: $ ssh root@remote_machine Remote_machine # su - Ondrej Remote_machine $ kinit Ondrej
... my cache is never renewed. Is this a normal behaviour? Is there any way how to "register" this cache with SSSD so it can take a care of it as well?
Note that normally the SSSD ticket cache is created in format of: FILE:/tmp/krb5cc_<uid>_random Whereas kinit's is: FILE:/tmp/krb5cc_<uid>
Thanks, Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Thu, Oct 22, 2015 at 08:52:13AM +0000, Ondrej Valousek wrote:
Hi list,
I have a question regarding Kerberos cache refresh. My observation is, that normally sssd refreshes my cache just fine, but if I create Kerberos cache manually using kinit like this: $ ssh root@remote_machine Remote_machine # su - Ondrej Remote_machine $ kinit Ondrej
... my cache is never renewed. Is this a normal behaviour? Is there any way how to "register" this cache with SSSD so it can take a care of it as well?
yes, this is expected because kinit gets the ticket on its own without talking to SSSD and hence SSSD will not know where kinit will store the tickets. Instead of calling kinit you can call 'su - Ondrej' for a second time now as user Ondrej. This will run the full PAM stack including authentication and as a result you should have a valid ticket in a credential cache SSSD knows about and can renew.
HTH
bye, Sumit
Note that normally the SSSD ticket cache is created in format of: FILE:/tmp/krb5cc_<uid>_random Whereas kinit's is: FILE:/tmp/krb5cc_<uid>
Thanks, Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi,
Thanks for clarification - so SSSD keeps a database of user principals - if only rpc.gssd did the same :(
One more question - can SSSD communicate with krb5-auth-dialog (possibly via DBUS) and let it know when is the ticket no longer renewable so user action (i.e. enter password to krb5-auth-dialog GUI) is required? I assume it can not now - but possibly a nice feature for further releases, what do you think?
Thanks, Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose Sent: 22 October 2015 11:13 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & Kerberos renewal
On Thu, Oct 22, 2015 at 08:52:13AM +0000, Ondrej Valousek wrote:
Hi list,
I have a question regarding Kerberos cache refresh. My observation is, that normally sssd refreshes my cache just fine, but if I create Kerberos cache manually using kinit like this: $ ssh root@remote_machine Remote_machine # su - Ondrej Remote_machine $ kinit Ondrej
... my cache is never renewed. Is this a normal behaviour? Is there any way how to "register" this cache with SSSD so it can take a care of it as well?
yes, this is expected because kinit gets the ticket on its own without talking to SSSD and hence SSSD will not know where kinit will store the tickets. Instead of calling kinit you can call 'su - Ondrej' for a second time now as user Ondrej. This will run the full PAM stack including authentication and as a result you should have a valid ticket in a credential cache SSSD knows about and can renew.
HTH
bye, Sumit
Note that normally the SSSD ticket cache is created in format of: FILE:/tmp/krb5cc_<uid>_random Whereas kinit's is: FILE:/tmp/krb5cc_<uid>
Thanks, Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Thu, Nov 05, 2015 at 12:46:25PM +0000, Ondrej Valousek wrote:
Hi,
Thanks for clarification - so SSSD keeps a database of user principals - if only rpc.gssd did the same :(
One more question - can SSSD communicate with krb5-auth-dialog (possibly via DBUS) and let it know when is the ticket no longer renewable so user action (i.e. enter password to krb5-auth-dialog GUI) is required? I assume it can not now - but possibly a nice feature for further releases, what do you think?
It's a work-in-progress: https://wiki.gnome.org/Design/Whiteboards/EnterpriseLogin#Tentative_Design
Alexander Bokovoy is mostly working on this feature from our team...
Wow! Awesome. Only disadvantage is that it probably won't find its way into RHEL 7. Still a way behind Windows ;(
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 05 November 2015 13:55 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & Kerberos renewal
On Thu, Nov 05, 2015 at 12:46:25PM +0000, Ondrej Valousek wrote:
Hi,
Thanks for clarification - so SSSD keeps a database of user principals - if only rpc.gssd did the same :(
One more question - can SSSD communicate with krb5-auth-dialog (possibly via DBUS) and let it know when is the ticket no longer renewable so user action (i.e. enter password to krb5-auth-dialog GUI) is required? I assume it can not now - but possibly a nice feature for further releases, what do you think?
It's a work-in-progress: https://wiki.gnome.org/Design/Whiteboards/EnterpriseLogin#Tentative_Design
Alexander Bokovoy is mostly working on this feature from our team... _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Ondrej Valousek -
Sumit Bose