On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai....@orange.com wrote:
> Hello,
> 
> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
> 
> -          ipa-admintools-3.0.0-47
> 
> -          ipa-client-3.0.0-47
> 
> -          sssd-ipa-1.11.6-30
> 
> 
> According with the following documentation, our users are automatically 
> authenticated to Kerberos at every login :
> https://www.freeipa.org/page/Kerberos
> "When SSSD project is used, the ticket is get for a user automatically as he 
> authenticates to client machine."
> 
> It's working pretty well but some of our users are using nominative accounts 
> for ssh connection then access to Hadoop with an applicative keytab...
> We are agreed than we have to perform a kinit at every connection but when 
> theses users work on several sessions they lose the applicative account 
> ticket :(

If you use credential cache collections (type DIR: or KEYTAB:) SSSD
would only update the individual cache matching the user principal
stored in IPA. The caches for other principals would persist. But if the
principal in the applicative keytab is from the same Kerberos realm you
still might need to use the 'kswitch' command to set the primary
principal. But it should be sufficient to call it only once because the
information is stored in the collection and not overwritten by SSSD.

If this does not work the affected users can add something like:

    export KRB5CCNAME=$HOME/my_cc_cache

to their .bashrc (or related config file of other shells). Then at least
in the shell all commands, like e.g. ssh, would use my_cc_cache with the
credential from the kinit with the keytab.

HTH

bye,
Sumit


> 
> To resume :
> 1
> 
> User1 connect to the system with nominative account
> 
> Nominative Kerberos Ticket
> 
> 2
> 
> User1 use the applicative keytab to access to Hadoop
> 
> Applicative Kerberos Ticket
> 
> 3
> 
> User1 open a new session to the system with nominvative account
> 
> Nominative Kerberos Ticket --> Applicative Kerberos Ticket is lose
> 
> 
> Impact :
> --> Failed developpement
> --> Force the user to re-execute a kinit
> 
> We would know if it is possible to disable the automatic authentication in 
> provide with SSSD?
> 
> Thanks.
> 
> Regards,
> 
> Thibault
> 
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations 
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu 
> ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou 
> falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged 
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete 
> this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been 
> modified, changed or falsified.
> Thank you.
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to