I filed this issue a week or so ago:
https://pagure.io/SSSD/sssd/issue/4017
In essence, it would seem that if KCM already has credentials in the cache, then KCM will never discard those credentials in favor of new credentials being forwarded via sshd, even if the credentials in the cache are expired.
This is a showstopper bug for using KCM in any type of enterprise environment, where remote connections are frequent.
Have I misunderstood what is actually happening? Or am I correct in that this a bug with KCM?
Sounds like the same issue I had, i created a bugzilla ticket for it: https://bugzilla.redhat.com/show_bug.cgi?id=1712875
It hasnt been confirmed as a bug yet though, but it sure feels like it.
For us KCM does not bring anything extra to the table as it does not manage ticket renewals yet, so we switched back to kernel keyring for kerberos tickets.
________________________________________ From: James Ralston [ralston@pobox.com] Sent: 03 June 2019 23:06 To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] KCM credential forwarding behavior broken?
I filed this issue a week or so ago:
https://pagure.io/SSSD/sssd/issue/4017
In essence, it would seem that if KCM already has credentials in the cache, then KCM will never discard those credentials in favor of new credentials being forwarded via sshd, even if the credentials in the cache are expired.
This is a showstopper bug for using KCM in any type of enterprise environment, where remote connections are frequent.
Have I misunderstood what is actually happening? Or am I correct in that this a bug with KCM? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Tue, Jun 4, 2019 at 1:25 AM Winberg Adam Adam.Winberg@smhi.se wrote:
Sounds like the same issue I had, i created a bugzilla ticket for it: https://bugzilla.redhat.com/show_bug.cgi?id=1712875
Thanks; I piled on.
For us KCM does not bring anything extra to the table as it does not manage ticket renewals yet, so we switched back to kernel keyring for kerberos tickets.
Sites who use Kerberos authentication to access both Windows SMB shares and NFS mounts care about this, because KCM avoids the problem of cifs.upcall creating root's kernel persistent keyring with the wrong SELinux context and thus breaking rpc.gssd's ability to subsequently access the credential cache.
sssd-users@lists.fedorahosted.org
-
James Ralston -
Winberg Adam