[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= sssd-krb5, krb5_ccachedir, DIR-cache-store...
From: "Jostein Fossheim" <nightowl () vigilantes ! no>
Date: 2019-09-22 16:16:58
Message-ID: 20190922161658.8143.25682 () mailman01 ! phx2 ! fedoraproject ! org
[Download RAW message or body]
We are working with several kerberos-REALMS and are trying to get our clients to \
store their kerberos tickets in a DIRECTORY. This seems to work nicely for clients \
not authenticating at login, with the following configuration set in \
/etc/krb5.conf.
...
[libdefaults]
...
default_ccache_name = DIR:/tmp/krb5cc_%{uid}
...
user@server:~$ klist
Ticket cache: DIR::/tmp/krb5cc_888/tkt
Default principal: user@REALM
Valid starting Expires Service principal
09/22/19 17:35:50 09/23/19 17:35:48 krbtgt/user@REALM
Each ticket is stored in a separate file.
For clients using sssd for login, I want to set up the same behavior. But when I \
attempt to login the system creates an "/tmp/krb5cc_${UiD}" - but here the directory \
don't get the excutable bit set (that is the directory get 0600-permission), and the \
login fails.
In the man-page from Debian-buster (sssd-version: 1.16.3), there are to settings that \
seems to regulate this behaviour :
krb5_ccachedir (string)
Directory to store credential caches. All the substitution sequences of \
krb5_ccname_template can be used here, too, except %d and %P. The directory is \
created as private and owned by the user, with permissions set to 0700.
Default: /tmp
krb5_ccname_template (string)
Location of the user's credential cache. Three credential cache types are currently \
supported: "FILE", "DIR" and "KEYRING:persistent". The cache can be specified either \
as TYPE:RESIDUAL, or as an absolute path, which implies the "FILE" type. In the \
template, the following sequences are substituted:
[...]
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in \
a safe way.
When using KEYRING types, the only supported mechanism is "KEYRING:persistent:%U", \
which uses the Linux kernel keyring to store credentials on a per-UID basis. This is \
also the recommended choice, as it is the most secure and predictable method.
The default value for the credential cache name is sourced from the profile stored in \
the system wide krb5.conf configuration file in the [libdefaults] section. The option \
name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for \
additional information on the expansion format defined by krb5.conf.
NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5) uses \
different expansion sequences than SSSD.
Default: (from libkrb5)
...
I have tried to both set and unset, the two parameters in question like this:
krb5_ccachedir = /tmp/krb5cc_%U
krb5_ccname_template = DIR: %d
krb5_ccname_template = DIR:%d/krb5cc_%U_XXXXXX
But the configuration-options seems to be ignored, no matter what I do, and I have \
the same behavior: A non-executable directory is created and the user is unable to \
login.
If I set the +x bit on the directory manually as the root-user, everything works.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic