On Wed, Feb 08, 2017 at 09:59:52AM +0100, Kees Bakker wrote: > Hi, > > This is a follow-up on the problem I had with > klist: Invalid UID in persistent keyring name while getting default ccache > (See "How to enable krb5_child log" earlier this month.) > > The situation is that we have local users with the same name that exist in > IPA, > but the UIDs are different. We have this on several systems, and it is because > we are in the process of setting up a FreeIPA server. > > Now (so far), on one system the environment variable KRB5CCNAME is set during > login. (Login via display manager or console, does not matter. If logged via > SSH > then the variable is not set.) > > My question: where / how is that variable being set? I'd like to understand > why > this one system is different from the rest.
The variable is set by pam_sss.so during the authentication phase. I suspect the difference might be in the PAM stack -- maybe on the systems where KRB5CCNAME is not set, the PAM stack is configured using pam_localuser.so so that if the username exists in /etc/passwd, only pam_unix.so is tried? > > Other details: Ubuntu 16.04 (server and clients). > > BTW. The klist / kinit problem can easily be solved by unsetting that > environment > variable. > -- > Kees > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project