I am having problems consistently getting a TGT after logging in via GDM with smartcard. On first login it normally works, but if I do a 'kdestroy' and then logout of my gnome session, I don't get a new TGT when I login to a new session. Instead, the root user has a TGT for my AD user:
[a001329@c20693 ~]$ klist klist: Credentials cache 'KCM:60483' not found [root@c20693 ~]# klist Ticket cache: KCM:0:63363 Default principal: [email protected] Valid starting Expires Service principal 2019-02-13 15:11:38 2019-02-14 01:11:33 krbtgt/[email protected] renew until 2019-02-20 15:11:33 A wild guess is that krb5-pkinit works by letting the root user get a TGT for my user and then transfer that cache to my user, or something? In my case that transfer does not happen if I previously performed a kdestroy. >From krb5_child.log: (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [KCM:] (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [sss_get_ccache_name_for_principal] (0x4000): tmp_ccname: [KCM:0:71555] (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache] (0x4000): Initializing ccache of type [KCM] (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache] (0x4000): CC supports switch (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache] (0x4000): returning: 0 (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, none will be deleted. (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [k5c_send_data] (0x0200): Received error code 0 (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [pack_response_packet] (0x2000): response packet size: [95] (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [k5c_send_data] (0x4000): Response sent. (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [main] (0x0400): krb5_child completed successfully After a while (not sure how long) it works as expected again, presumably after a timeout of some sort. If I disable KCM (by removing /etc/krb5.conf.d/kcm_default_ccache) TGT retrieval works as expected. Am I missing something or is this a bug? Regards, Adam
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
