[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= sssd-krb5, krb5_ccachedir, DIR-cache-store...
From:       "Jostein Fossheim" <nightowl () vigilantes ! no>
Date:       2019-09-22 16:16:58
Message-ID: 20190922161658.8143.25682 () mailman01 ! phx2 ! fedoraproject ! org
[Download RAW message or body]

We are working with several kerberos-REALMS and are trying to get our clients to \
store their kerberos tickets in a DIRECTORY. This seems to work nicely for clients \
                not authenticating at login, with the following configuration set in \
                /etc/krb5.conf. 
...
[libdefaults]
...

default_ccache_name = DIR:/tmp/krb5cc_%{uid}
...

user@server:~$ klist
Ticket cache: DIR::/tmp/krb5cc_888/tkt
Default principal: user@REALM

Valid starting     Expires            Service principal
09/22/19 17:35:50  09/23/19 17:35:48  krbtgt/user@REALM

Each ticket is stored in a separate file.  

For clients using sssd for login, I want to set up the same behavior. But when I \
attempt to login the system creates an "/tmp/krb5cc_${UiD}" - but here the directory \
don't get the excutable bit set (that is the directory get 0600-permission), and the \
login fails.  

In the man-page from Debian-buster (sssd-version: 1.16.3), there are to settings that \
seems to regulate this behaviour : 

krb5_ccachedir (string)
Directory to store credential caches. All the substitution sequences of \
krb5_ccname_template can be used here, too, except %d and %P. The directory is \
created as private and owned by the user, with permissions set to 0700.

Default: /tmp

krb5_ccname_template (string)
Location of the user's credential cache. Three credential cache types are currently \
supported: "FILE", "DIR" and "KEYRING:persistent". The cache can be specified either \
as TYPE:RESIDUAL, or as an absolute path, which implies the "FILE" type. In the \
template, the following sequences are substituted:

[...]

If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in \
a safe way.

When using KEYRING types, the only supported mechanism is "KEYRING:persistent:%U", \
which uses the Linux kernel keyring to store credentials on a per-UID basis. This is \
also the recommended choice, as it is the most secure and predictable method.

The default value for the credential cache name is sourced from the profile stored in \
the system wide krb5.conf configuration file in the [libdefaults] section. The option \
name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for \
additional information on the expansion format defined by krb5.conf.

NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5) uses \
different expansion sequences than SSSD.

Default: (from libkrb5)

...

I have tried to both set and unset, the two parameters in question like this: 

krb5_ccachedir = /tmp/krb5cc_%U

krb5_ccname_template = DIR: %d
krb5_ccname_template = DIR:%d/krb5cc_%U_XXXXXX

But the configuration-options seems to be ignored, no matter what I do, and I have \
the same behavior: A non-executable directory is created and the user is unable to \
login. 

If I set the +x bit on the directory manually as the root-user, everything works. 
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org



[prev in list] [next in list] [prev in thread] [next in thread]