2012-08-20 18:04:02 |
musicalvegan0 |
description |
Ubuntu 12.04.1
sssd 1.8.2-0ubuntu1
Arch i386
When SSSD is configured for krb5 auth and a user successfully logs in, the following ticket is generated in /tmp/krb5cc_UID_XXXXXX:
klist -c /tmp/krb5cc_UID_XXXXXX
Default principal: USER@DOMAIN.LOCAL
Valid starting Expires Service principal
31/12/1969 19:00 31/12/1969 19:00 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
The expected outcome is receive a Kerberos ticket with a valid starting and stopping date.
After some experimentation, the issue may be related to the credential cache as deleting the bad ticket, deleting the SSSD cache, and restarting the sssd service seems to produce a valid ticket:
service sssd stop
rm /tmp/krb5cc_UID_XXXXXX
rm -rf /var/lib/sss/db/*
service sssd start
<user log in successful>
klist -c /tmp/krb5cc_UID_XXXXXX
Default principal: USER@DOMAIN.LOCAL
Valid starting Expires Service principal
20/08/2012 13:49 20/08/2012 23:49 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 20/08/2012 23:49
Specifying krb5_* options in sssd.conf seems to have no effect on the outcome of the ticket.
Obviously, this bug creates problems for applications and services that require a valid Kerberos ticket such as Kerberized NFS mounts. |
Ubuntu 12.04.1
sssd 1.8.2-0ubuntu1
Arch i386
When SSSD is configured for krb5 auth and a user successfully logs in, the following ticket is generated in /tmp/krb5cc_UID_XXXXXX:
klist -c /tmp/krb5cc_UID_XXXXXX
Default principal: USER@DOMAIN.LOCAL
Valid starting Expires Service principal
31/12/1969 19:00 31/12/1969 19:00 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
The expected outcome is receive a Kerberos ticket with a valid starting and stopping date.
After some experimentation, the issue may be related to the credential cache as deleting the bad ticket, deleting the SSSD cache, and restarting the sssd service seems to produce a valid ticket:
service sssd stop
rm /tmp/krb5cc_UID_XXXXXX
rm -rf /var/lib/sss/db/*
service sssd start
<user log in successful>
klist -c /tmp/krb5cc_UID_XXXXXX
Default principal: USER@DOMAIN.LOCAL
Valid starting Expires Service principal
20/08/2012 13:49 20/08/2012 23:49 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 20/08/2012 23:49
Specifying krb5_* options in sssd.conf seems to have no effect on the outcome of the ticket.
Obviously, this bug creates problems for applications and services that require a valid Kerberos ticket such as Kerberized NFS mounts. |
|