On Wed, Feb 08, 2017 at 09:59:52AM +0100, Kees Bakker wrote:
> This is a follow-up on the problem I had with
> klist: Invalid UID in persistent keyring name while getting default ccache
> (See "How to enable krb5_child log" earlier this month.)
> The situation is that we have local users with the same name that exist in
> but the UIDs are different. We have this on several systems, and it is because
> we are in the process of setting up a FreeIPA server.
> Now (so far), on one system the environment variable KRB5CCNAME is set during
> login. (Login via display manager or console, does not matter. If logged via
> then the variable is not set.)
> My question: where / how is that variable being set? I'd like to understand
> this one system is different from the rest.
The variable is set by pam_sss.so during the authentication phase.
I suspect the difference might be in the PAM stack -- maybe on the
systems where KRB5CCNAME is not set, the PAM stack is configured using
pam_localuser.so so that if the username exists in /etc/passwd, only
pam_unix.so is tried?
> Other details: Ubuntu 16.04 (server and clients).
> BTW. The klist / kinit problem can easily be solved by unsetting that
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project