On (30/06/16 15:38), Sumit Bose wrote: >On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai....@orange.com wrote: >> Hello, >> >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster : >> >> - ipa-admintools-3.0.0-47 >> >> - ipa-client-3.0.0-47 >> >> - sssd-ipa-1.11.6-30 >> >> >> According with the following documentation, our users are automatically >> authenticated to Kerberos at every login : >> https://www.freeipa.org/page/Kerberos >> "When SSSD project is used, the ticket is get for a user automatically as he >> authenticates to client machine." >> >> It's working pretty well but some of our users are using nominative accounts >> for ssh connection then access to Hadoop with an applicative keytab... >> We are agreed than we have to perform a kinit at every connection but when >> theses users work on several sessions they lose the applicative account >> ticket :( > >If you use credential cache collections (type DIR: or KEYTAB:) SSSD According to versions of sssd, it looks like el6. And KEYRING collection ccache is not on el6. I'm not sure about DIR collection ccache.
>would only update the individual cache matching the user principal >stored in IPA. The caches for other principals would persist. But if the >principal in the applicative keytab is from the same Kerberos realm you >still might need to use the 'kswitch' command to set the primary >principal. But it should be sufficient to call it only once because the >information is stored in the collection and not overwritten by SSSD. > >If this does not work the affected users can add something like: > > export KRB5CCNAME=$HOME/my_cc_cache ^ Is FILE: considered as default or it need to be written as well for KRB5CCNAME LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project