On Thu, Nov 15, 2018 at 04:17:20PM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > for posterity's sake, this appears to be a problem with kcm (whatever that > is, don't know yet, will look it up later). > > I turned it off in /etc/krb5.conf.d/kcm_default_ccache (just comment the > two not comment lines) and after restart sssd or rebooting, with selinux > enabled, it works.
ah, sorry, I should have thought of this earlier. This is most probably https://pagure.io/SSSD/sssd/issue/3376. SSSD'd krb5_child runs as root with the IPA provider, e.g. to be able to read the keytab for the Kerberos ticket validation. Due to the issue from above it cannot save the TGT for the user. bye, Sumit > > the ticket cache falls back to a keyring one and after logging in with just > a pin code and the certificate in the card, I have a token. > > I have learnt a lot about how this works ;-), thanks Sumit, Alexander and, > indirectly through her blogpost, Florence. > > Would it be possible to allow two or more certificates in the smart-card? > We plan on using yubikeys, and that is just one of its strengths: several > slots to keep different keys. > -- > Groeten, > natxo > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
