First, I'm sorry if this mail is not helpful enough, I'm really just replying
to the part I'm familiar with

On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote:
> Hi,
> 
> I am confronted with a behaviour for which I do not have an explanation for.
> 
> I am using NFS4 Kerberos automounted homeshares and and recently I got a
> permission denied (reproducible when I restart autofs on the server I want
> to connect to) from the Windows Domain. So here's what I tried:
> 
> 1) Connected via PuTTY from a Windows Machine in the windows domain
>     Kerberos-based login works but I get a "Permission Denied" on my home
> directory; klist shows no tickets

No tickets at all? Not even an expired ticket?

Does running klist in cmd.exe show anything?

> 
> 2) I try to connect form a Linux machine belonging to the IPA domain
>     Kerberos-based login works, I can also access my home directory;
>     klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for the
> windows domain
> 
> 3) Now - of course - using the homeshares works from both domains windows
> and ipa
> 
> 4) When I do a kdestroy on the machine, using the homeshare when logged in
> from windows still works -
>     My question is WHY? Does SSSD cache the NFS ticket?

It does not. The only code in SSSD that caches anything Kerberos related
is the KRB5CCNAME variable value.

>     (and why don't I get an nfs ticket when coming from the windows domain?)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to