Re: [Freeipa-users] SSSD Cache and Service Tickets
On 2017-05-15 21:27, Jakub Hrozek wrote: [...] On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: Hi, I am confronted with a behaviour for which I do not have an explanation for. I am using NFS4 Kerberos automounted homeshares and and recently I got a permission denied (reproducible when I restart autofs on the server I want to connect to) from the Windows Domain. So here's what I tried: 1) Connected via PuTTY from a Windows Machine in the windows domain Kerberos-based login works but I get a "Permission Denied" on my home directory; klist shows no tickets No tickets at all? Not even an expired ticket? Unfortunately no tickets. Does running klist in cmd.exe show anything? Yes, it does: -bash-4.2$ klist klist: Credentials cache keyring 'persistent:1073895519:1073895519' not found And again... If I connect from my linux machine (within the ipa domain), tickets are there: -bash-4.2$ klist Ticket cache: KEYRING:persistent:1073895519:1073895519 Default principal: myu...@mywindowdomain.at Valid starting Expires Service principal 2017-05-16 11:29:04 2017-05-16 15:43:45 nfs/ipanfs.myipadomain...@myipadomain.at 2017-05-16 11:25:09 2017-05-16 15:43:45 krbtgt/mywindowdomain...@mywindowdomain.at renew until 2017-05-16 15:43:45 From this point on login from windows (AD domain) does - of course - work. Any ideas how to bring some light into this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD Cache and Service Tickets
First, I'm sorry if this mail is not helpful enough, I'm really just replying to the part I'm familiar with On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: > Hi, > > I am confronted with a behaviour for which I do not have an explanation for. > > I am using NFS4 Kerberos automounted homeshares and and recently I got a > permission denied (reproducible when I restart autofs on the server I want > to connect to) from the Windows Domain. So here's what I tried: > > 1) Connected via PuTTY from a Windows Machine in the windows domain > Kerberos-based login works but I get a "Permission Denied" on my home > directory; klist shows no tickets No tickets at all? Not even an expired ticket? Does running klist in cmd.exe show anything? > > 2) I try to connect form a Linux machine belonging to the IPA domain > Kerberos-based login works, I can also access my home directory; > klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for the > windows domain > > 3) Now - of course - using the homeshares works from both domains windows > and ipa > > 4) When I do a kdestroy on the machine, using the homeshare when logged in > from windows still works - > My question is WHY? Does SSSD cache the NFS ticket? It does not. The only code in SSSD that caches anything Kerberos related is the KRB5CCNAME variable value. > (and why don't I get an nfs ticket when coming from the windows domain?) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project