I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn selinux-
wrapped full OS containers for a while.

After upgrading to F25 on the host, systemd disabled access to the KEYRING 
ccache type from nspawn containers since the kernel keyring isn't namespaced. 
So anything that needs to get a keytab results in something like the 
following.

-bash-4.3# kinit
kinit: Invalid UID in persistent keyring name while getting default ccache

dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever' and 
manually upgrade as if I performed an offline upgrade.

Other than that, no issues to report.

Are there any concerns if I switch the krb5.com default_ccache_name on the 
freeipa systemd-nspawn servers to MEMORY or FILE?  Which would be preferred?

Thanks for the advice.  -A

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D  D1C9 FF31 3BDB D9D8 99B6

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to