On Wed, Feb 13, 2019 at 03:25:33PM +0100, Winberg, Adam wrote: > I am having problems consistently getting a TGT after logging in via GDM > with smartcard. On first login it normally works, but if I do a 'kdestroy' > and then logout of my gnome session, I don't get a new TGT when I login to > a new session. Instead, the root user has a TGT for my AD user: > > [a001329@c20693 ~]$ klist > klist: Credentials cache 'KCM:60483' not found > > [root@c20693 ~]# klist > Ticket cache: KCM:0:63363 > Default principal: [email protected] > > Valid starting Expires Service principal > 2019-02-13 15:11:38 2019-02-14 01:11:33 krbtgt/[email protected] > renew until 2019-02-20 15:11:33 > > A wild guess is that krb5-pkinit works by letting the root user get a TGT > for my user and then transfer that cache to my user, or something? In my > case that transfer does not happen if I previously performed a kdestroy. > > From krb5_child.log: > > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] > [sss_get_ccache_name_for_principal] (0x4000): Location: [KCM:] > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] > [sss_get_ccache_name_for_principal] (0x4000): tmp_ccname: [KCM:0:71555] > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache] > (0x4000): Initializing ccache of type [KCM] > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache] > (0x4000): CC supports switch > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache] > (0x4000): returning: 0 > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] > [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the > same, none will be deleted. > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] > [pack_response_packet] (0x2000): response packet size: [95] > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [main] (0x0400): > krb5_child completed successfully > > > After a while (not sure how long) it works as expected again, presumably > after a timeout of some sort. > > If I disable KCM (by removing /etc/krb5.conf.d/kcm_default_ccache) TGT > retrieval works as expected. Am I missing something or is this a bug?
I guess you hit https://pagure.io/SSSD/sssd/issue/3903 / https://bugzilla.redhat.com/show_bug.cgi?id=1658813 fixed by https://pagure.io/SSSD/sssd/c/e49e9f727e4960c8a0a2ed50488dac6e51ddf284?branch=master. HTH bye, Sumit > > > Regards, > Adam > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
