[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On 5/10/21 5:12 PM, Joakim Tjernlund wrote: On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: I decided to test new sssd/KCM and this is what I get: - ssh from non sssd/krb machine to new sssd machine, entered password ~ $ klist Ticket cache: KCM:1001 Default principal: jo...@infinera.com Valid starting ExpiresService principal 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com renew until 17/05/21 16:47:32 ~ $ ksu ksu: Ccache function not supported: not implemented while selecting the best principal I also have mit-kr5b master installed. Did I miss something? krb5 master contains: https://github.com/krb5/krb5/commit/795ebba8c039be172ab93cd41105c73ffdba0fdb but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to its own function that was used before this commit. Get a KCM trace for ksu: (2021-05-10 17:09:47): [kcm] [get_client_cred] (0x4000): Client [0x56377e20ead0][14] creds: euid[1001] egid[100] pid[5871] cmd_line['ksu']. (2021-05-10 17:09:47): [kcm] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [95][Operation not supported]. Please, consider enabling SELinux in your system. (2021-05-10 17:09:47): [kcm] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56377e20ead0][14] (2021-05-10 17:09:47): [kcm] [accept_fd_handler] (0x0400): Client [0x56377e20ead0][14] connected! (2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 4 (2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 20 (2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_DEFAULT_CACHE (2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 0 bytes on KCM input (2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x0200): Adding request by 1001 to the wait queue (2021-05-10 17:09:47): [kcm] [kcm_op_queue_get] (0x1000): No existing queue for this ID (2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x1000): Queue was empty, running the request immediately (2021-05-10 17:09:47): [kcm] [kcm_op_get_default_ccache_send] (0x1000): Getting client's default ccache (2021-05-10 17:09:47): [kcm] [ccdb_secdb_get_default_send] (0x2000): Getting the default ccache (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/default] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/default] is [cn=default,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/default (2021-05-10 17:09:47): [kcm] [secdb_dfl_url_req] (0x2000): Created request for URL /kcm/persistent/1001/default (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from [persistent/1001/default] (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=default,cn=1001,cn=persistent,cn=kcm] with scope=base (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x1000): No secret found (2021-05-10 17:09:47): [kcm] [sec_get] (0x0040): Cannot retrieve the secret [2]: No such file or directory (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all ccaches (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/ (2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/ (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree (2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896- bdfb-4116-8a11-eedacad1fa5b-1001] (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Found 1 ccaches (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all caches done (2021-05-10 17:09:47): [kcm] [ccdb_secdb_name_by_uuid_send] (0x2000): Translating UUID to name (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [local_db_
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > I decided to test new sssd/KCM and this is what I get: > > - ssh from non sssd/krb machine to new sssd machine, entered password > ~ $ klist > Ticket cache: KCM:1001 > Default principal: jo...@infinera.com > > Valid starting ExpiresService principal > 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com > renew until 17/05/21 16:47:32 > ~ $ ksu > ksu: Ccache function not supported: not implemented while selecting the best > principal > > I also have mit-kr5b master installed. > > Did I miss something? Get a KCM trace for ksu: (2021-05-10 17:09:47): [kcm] [get_client_cred] (0x4000): Client [0x56377e20ead0][14] creds: euid[1001] egid[100] pid[5871] cmd_line['ksu']. (2021-05-10 17:09:47): [kcm] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [95][Operation not supported]. Please, consider enabling SELinux in your system. (2021-05-10 17:09:47): [kcm] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56377e20ead0][14] (2021-05-10 17:09:47): [kcm] [accept_fd_handler] (0x0400): Client [0x56377e20ead0][14] connected! (2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 4 (2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 20 (2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_DEFAULT_CACHE (2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 0 bytes on KCM input (2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x0200): Adding request by 1001 to the wait queue (2021-05-10 17:09:47): [kcm] [kcm_op_queue_get] (0x1000): No existing queue for this ID (2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x1000): Queue was empty, running the request immediately (2021-05-10 17:09:47): [kcm] [kcm_op_get_default_ccache_send] (0x1000): Getting client's default ccache (2021-05-10 17:09:47): [kcm] [ccdb_secdb_get_default_send] (0x2000): Getting the default ccache (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/default] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/default] is [cn=default,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/default (2021-05-10 17:09:47): [kcm] [secdb_dfl_url_req] (0x2000): Created request for URL /kcm/persistent/1001/default (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from [persistent/1001/default] (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=default,cn=1001,cn=persistent,cn=kcm] with scope=base (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x1000): No secret found (2021-05-10 17:09:47): [kcm] [sec_get] (0x0040): Cannot retrieve the secret [2]: No such file or directory (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all ccaches (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/ (2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/ (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree (2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896- bdfb-4116-8a11-eedacad1fa5b-1001] (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Found 1 ccaches (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all caches done (2021-05-10 17:09:47): [kcm] [ccdb_secdb_name_by_uuid_send] (0x2000): Translating UUID to name (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/ (2021-05-10 17:09:47): [kcm] [secdb_container_url
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > > > I decided to test new sssd/KCM and this is what I get: > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered password > > > ~ $ klist > > > Ticket cache: KCM:1001 > > > Default principal: jo...@infinera.com > > > > > > Valid starting ExpiresService principal > > > 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com > > > renew until 17/05/21 16:47:32 > > > ~ $ ksu > > > ksu: Ccache function not supported: not implemented while selecting the > > > best principal > > > > > > I also have mit-kr5b master installed. > > > > > > Did I miss something? > > > krb5 master contains: > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C6711baf1f6ab4e4cfb8f08d913cb27bf%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562585534486850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=e0rLEUFUeX0hgdo7BlVWvc5%2F%2FqV6dNF25FtZEo4E1n4%3D&reserved=0 > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to > its own function that was used before this commit. hmm, not sure what to do here, downgrade mit-krb5? Then I don't get the new KCM feature. The trace didn't help any? Here is a ssh trace in case that helps: KRB5_TRACE=/dev/stdout ssh devsrv [7615] 1620662408.437070: ccselect module realm chose cache KCM:1001 with client principal jo...@infinera.com for server principal host/devsrv.infinera@infinera.com [7615] 1620662408.437071: Getting credentials jo...@infinera.com -> host/devsrv.infinera@infinera.com using ccache KCM:1001 [7615] 1620662408.437072: Retrieving jo...@infinera.com -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented [7615] 1620662408.437073: Retrieving jo...@infinera.com -> host/devsrv.infinera@infinera.com from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented [7615] 1620662408.437079: ccselect module realm chose cache KCM:1001 with client principal jo...@infinera.com for server principal host/devsrv.infinera@infinera.com [7615] 1620662408.437080: Getting credentials jo...@infinera.com -> host/devsrv.infinera@infinera.com using ccache KCM:1001 [7615] 1620662408.437081: Retrieving jo...@infinera.com -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented [7615] 1620662408.437082: Retrieving jo...@infinera.com -> host/devsrv.infinera@infinera.com from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented (jocke@devsrv) Password: Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Mon, 2021-05-10 at 16:01 +, Joakim Tjernlund wrote: > On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > > On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > > > > I decided to test new sssd/KCM and this is what I get: > > > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered password > > > > ~ $ klist > > > > Ticket cache: KCM:1001 > > > > Default principal: jo...@infinera.com > > > > > > > > Valid starting ExpiresService principal > > > > 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com > > > > renew until 17/05/21 16:47:32 > > > > ~ $ ksu > > > > ksu: Ccache function not supported: not implemented while selecting the > > > > best principal > > > > > > > > I also have mit-kr5b master installed. > > > > > > > > Did I miss something? > > > > > > krb5 master contains: > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C93db566696a14db59cce08d913cce404%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562592992020361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8lOd0n%2BRZkuSka%2FSJLMMz7Nz4avCJeenpzz6XhbV5PY%3D&reserved=0 > > > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to > > its own function that was used before this commit. FYI, reverting that commit makes it work. Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On 5/10/21 8:10 PM, Joakim Tjernlund wrote: On Mon, 2021-05-10 at 16:01 +, Joakim Tjernlund wrote: On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: On 5/10/21 5:12 PM, Joakim Tjernlund wrote: On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: I decided to test new sssd/KCM and this is what I get: - ssh from non sssd/krb machine to new sssd machine, entered password ~ $ klist Ticket cache: KCM:1001 Default principal: jo...@infinera.com Valid starting ExpiresService principal 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com renew until 17/05/21 16:47:32 ~ $ ksu ksu: Ccache function not supported: not implemented while selecting the best principal I also have mit-kr5b master installed. Did I miss something? krb5 master contains: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C93db566696a14db59cce08d913cce404%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562592992020361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8lOd0n%2BRZkuSka%2FSJLMMz7Nz4avCJeenpzz6XhbV5PY%3D&reserved=0 but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to its own function that was used before this commit. FYI, reverting that commit makes it work. Thanks for the information. Please, open a ticket against krb5. Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Tue, 2021-05-11 at 10:25 +0200, Pavel Březina wrote: > On 5/10/21 8:10 PM, Joakim Tjernlund wrote: > > On Mon, 2021-05-10 at 16:01 +, Joakim Tjernlund wrote: > > > On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > > > > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > > > > On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > > > > > > I decided to test new sssd/KCM and this is what I get: > > > > > > > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered > > > > > > password > > > > > > ~ $ klist > > > > > > Ticket cache: KCM:1001 > > > > > > Default principal: jo...@infinera.com > > > > > > > > > > > > Valid starting ExpiresService principal > > > > > > 10/05/21 16:47:32 11/05/21 02:47:32 > > > > > > krbtgt/infinera@infinera.com > > > > > > renew until 17/05/21 16:47:32 > > > > > > ~ $ ksu > > > > > > ksu: Ccache function not supported: not implemented while selecting > > > > > > the best principal > > > > > > > > > > > > I also have mit-kr5b master installed. > > > > > > > > > > > > Did I miss something? > > > > > > > > > > > > krb5 master contains: > > > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C14ec542efa8846b7f5c808d9145665e4%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637563183573713658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CWtAfLIp%2F29T2lL1VvmbtcI1jJMzsHL7xbhjh2KZWCk%3D&reserved=0 > > > > > > > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to > > > > its own function that was used before this commit. > > > > FYI, reverting that commit makes it work. > > Thanks for the information. Please, open a ticket against krb5. Easier said than done. I could not find an issue tracker for mit-krb5, is there one? Found a bug email list I mailed but not sure it will get through(I am not joining yet another list just to report a bug) Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Tue, 2021-05-11 at 11:09 +0200, Joakim Tjernlund wrote: > On Tue, 2021-05-11 at 10:25 +0200, Pavel Březina wrote: > > On 5/10/21 8:10 PM, Joakim Tjernlund wrote: > > > On Mon, 2021-05-10 at 16:01 +, Joakim Tjernlund wrote: > > > > On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > > > > > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > > > > > On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > > > > > > > I decided to test new sssd/KCM and this is what I get: > > > > > > > > > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered > > > > > > > password > > > > > > > ~ $ klist > > > > > > > Ticket cache: KCM:1001 > > > > > > > Default principal: jo...@infinera.com > > > > > > > > > > > > > > Valid starting ExpiresService principal > > > > > > > 10/05/21 16:47:32 11/05/21 02:47:32 > > > > > > > krbtgt/infinera@infinera.com > > > > > > > renew until 17/05/21 16:47:32 > > > > > > > ~ $ ksu > > > > > > > ksu: Ccache function not supported: not implemented while > > > > > > > selecting the best principal > > > > > > > > > > > > > > I also have mit-kr5b master installed. > > > > > > > > > > > > > > Did I miss something? > > > > > > > > > > > > > > > krb5 master contains: > > > > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C14ec542efa8846b7f5c808d9145665e4%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637563183573713658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CWtAfLIp%2F29T2lL1VvmbtcI1jJMzsHL7xbhjh2KZWCk%3D&reserved=0 > > > > > > > > > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback > > > > > to > > > > > its own function that was used before this commit. > > > > > > FYI, reverting that commit makes it work. > > > > Thanks for the information. Please, open a ticket against krb5. > > Easier said than done. I could not find an issue tracker for mit-krb5, is > there one? > Found a bug email list I mailed but not sure it will get through(I am not > joining yet another list just to report a bug) > > Jocke Managed to add a comment here: https://github.com/krb5/krb5/pull/1178 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
