We are working with several kerberos-REALMS and are trying to get our clients
to store their kerberos tickets in a DIRECTORY. This seems to work nicely for
clients not authenticating at login, with the following configuration set in
/etc/krb5.conf.
...
[libdefaults]
...
default_ccache_name = DIR:/tmp/krb5cc_%{uid}
...
user@server:~$ klist
Ticket cache: DIR::/tmp/krb5cc_888/tkt
Default principal: user@REALM
Valid starting Expires Service principal
09/22/19 17:35:50 09/23/19 17:35:48 krbtgt/user@REALM
Each ticket is stored in a separate file.
For clients using sssd for login, I want to set up the same behavior. But when
I attempt to login the system creates an "/tmp/krb5cc_${UiD}" - but here the
directory don't get the excutable bit set (that is the directory get
0600-permission), and the login fails.
In the man-page from Debian-buster (sssd-version: 1.16.3), there are to
settings that seems to regulate this behaviour :
krb5_ccachedir (string)
Directory to store credential caches. All the substitution sequences of
krb5_ccname_template can be used here, too, except %d and %P. The directory is
created as private and owned by the user, with permissions set to 0700.
Default: /tmp
krb5_ccname_template (string)
Location of the user's credential cache. Three credential cache types are
currently supported: "FILE", "DIR" and "KEYRING:persistent". The cache can be
specified either as TYPE:RESIDUAL, or as an absolute path, which implies the
"FILE" type. In the template, the following sequences are substituted:
[...]
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique
filename in a safe way.
When using KEYRING types, the only supported mechanism is
"KEYRING:persistent:%U", which uses the Linux kernel keyring to store
credentials on a per-UID basis. This is also the recommended choice, as it is
the most secure and predictable method.
The default value for the credential cache name is sourced from the profile
stored in the system wide krb5.conf configuration file in the [libdefaults]
section. The option name is default_ccache_name. See krb5.conf(5)'s PARAMETER
EXPANSION paragraph for additional information on the expansion format defined
by krb5.conf.
NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5)
uses different expansion sequences than SSSD.
Default: (from libkrb5)
...
I have tried to both set and unset, the two parameters in question like this:
krb5_ccachedir = /tmp/krb5cc_%U
krb5_ccname_template = DIR: %d
krb5_ccname_template = DIR:%d/krb5cc_%U_XXXXXX
But the configuration-options seems to be ignored, no matter what I do, and I
have the same behavior: A non-executable directory is created and the user is
unable to login.
If I set the +x bit on the directory manually as the root-user, everything
works.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
