My test was via ssh from another node. I purged the caches (rm /var/lib/sss/db/* /var/lib/sss/mb/*) and restarted, but no change. It looks like a new krb5ccache file is created on every login.
Obfuscated sample: $ssh XXX (using Kerberos) $ klist Ticket cache: FILE:/tmp/krb5cc_NNNN_wI6zZjSxdS $logut $ssh XXX (using Kerberos) $klist Ticket cache: FILE:/tmp/krb5cc_NNNN_kf650rCodT Jay -----Original Message----- From: Jakub Hrozek [mailto:[email protected]] Sent: Thursday, February 4, 2016 5:23 AM To: [email protected] Subject: [SSSD-users] Re: Kerberos Cred Cache name with Active Directory On Thu, Feb 04, 2016 at 09:29:02AM +0100, Lukas Slebodnik wrote: > On (04/02/16 04:46), Jay McCanta wrote: > >I would like to change where sssd creates the krb5 credential cache when > >using AD for authentication. > >It sets KRB5CCNAME as FILE:/tmp/krb5cc_<uid>_<random>. > >We are running sssd v 1.11.5 (packaged with Ubuntu Trusty 14.04). > >I have tried setting 'krb_ccachedir' and 'krb_ccname_template' but that > >didn't change where the cache got create. Below is the sssd.conf file. Is > >this possible with the AD provider? > > > >Jay McCanta > >F5 Networks, Inc. > > > >[sssd] > >config_file_version = 2 > >domains = example.com > >services = nss, pam > >debug_level = 3 > > > >[nss] > > > >[pam] > >debug_level = 3 > > > >[domain/example.com] > >id_provider = ad > >auth_provider = ad > >access_provider = ad > >ldap_id_mapping = False > >krb5_ccachedir=/var/run > >krb5_ccname_template=FILE:%d/krb5cc_%U > > > The configuration looks good to me? > > How did you test it? > ssh? "su", "su -" ... I'm not 100% sure about all the use-cases (and currently no time to test, sadly), but I remember that sssd stores the ccache in the ldb cache and tries to reuse the existing one. So chances are you might need to clear the cache (and please make sure you're doing this while connected to the network, the cache also contains the cached passwords) _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
