On (30/06/16 15:38), Sumit Bose wrote:
>On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai....@orange.com wrote:
>> Hello,
>>
>> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
>>
>> - ipa-admintools-3.0.0-47
>>
>> - ipa-client-3.0.0-47
>>
>> - sssd-ipa-1.11.6-30
>>
>>
>> According with the following documentation, our users are automatically
>> authenticated to Kerberos at every login :
>> https://www.freeipa.org/page/Kerberos
>> "When SSSD project is used, the ticket is get for a user automatically as he
>> authenticates to client machine."
>>
>> It's working pretty well but some of our users are using nominative accounts
>> for ssh connection then access to Hadoop with an applicative keytab...
>> We are agreed than we have to perform a kinit at every connection but when
>> theses users work on several sessions they lose the applicative account
>> ticket :(
>
>If you use credential cache collections (type DIR: or KEYTAB:) SSSD
According to versions of sssd, it looks like el6.
And KEYRING collection ccache is not on el6.
I'm not sure about DIR collection ccache.
>would only update the individual cache matching the user principal
>stored in IPA. The caches for other principals would persist. But if the
>principal in the applicative keytab is from the same Kerberos realm you
>still might need to use the 'kswitch' command to set the primary
>principal. But it should be sufficient to call it only once because the
>information is stored in the collection and not overwritten by SSSD.
>
>If this does not work the affected users can add something like:
>
> export KRB5CCNAME=$HOME/my_cc_cache
^
Is FILE: considered as default or it need to be
written as well for KRB5CCNAME
LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
