Sure thing.
I’ve completely reconfigured the krb stack with sshd/sssd/pcscd
optimizations for AD bound systems.
Because long ago with the death of PAGs (process authentication groups),
and the dawn of user systemd, there’s no day to day technical need for a
user to have unique credential caches f
I am using AFS, similar to kerberized NFS, for user home directories,
and snap misbehave/fail to work property here as well.
I'm running more into issues with refreshing snaps and removing snaps.
With home dirs set to the /afs/[cell]/usr and when removing a snap, it
wants to walk every user (all
I have a shim workaround to manage/consolidate all krb ticket caches
under systemd that now works with the user tmpfs directories. This
drastically improves the user experience to that to MS Windows for all
suers that ssh/gdm login, with smartcard/pcscd optimizations. Perhaps
some day I will docum
sigh, this looks like this is being caused by systemd.
using iwatchnotify, i see sssd is doing everything it's supposed too.
but then systemd comes by and mounts a new tmpfs on TOP of the
/run/user/${uid} directory, then masking the krb5cc file.
tmpfs on /run/user/966406121 type tmpfs
(rw,nosuid,
I've verified this has to do with /run/user/${uid}. Doesn't seem to
matter if the run directory has been created.
default_ccache_name = FILE:/tmp/%{uid}/krb5cc works
yet
default_ccache_name = FILE:/run/user/%{uid}/krb5cc does not
--
You received this bug notification because you are a member o
Public bug reported:
sssd fails to create and populate the krb5cc cache when set to
default_ccache_name = FILE:/run/user/%{uid}/krb5cc
/var/log/sssd/krb5_child.log shows directory being created and krb5cc
attempting to be populated, but fails.
(2024-07-09 14:02:17): [krb5_child[3348]] [val
also to confirm, this is still a problem in U24.04
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
To manage notifications about t
I would like to bump this up on priority.
We are in the throws of instrumenting a number of gov't security
frameworks, and MFA enforcement with SSH and the need for network
(kerberos) credentials puts this issue as a blocking problem with
implementation.
when sshing in with forwarded tickets, the
Marco,
Great! This should be easy for me to test, and I’d be happy to do so.
I may be able to do a regression test to make sure the automated NSSDB
-> openssl upgrade works as well. This would mean however that the
upgrade would need to drop the appropriate sssd.conf.d to configure the
partial_
> On Mar 17, 2021, at 10:01 PM, Marco Trevisan (Treviño)
> <1919...@bugs.launchpad.net> wrote:
>
> So, if I didn't get it wrong, if we'd just use /etc/ssl/certs/ca-
> certificates.crt as the SSSD pam certificate in such case would work?
While this would technically work, it would be really bad n
I agree and concur.
Just need some checks here, as this is a pretty big change in behavior
for a mid-life LTS release.
That said, the new configuration is in line with RHEL8, and will help
reduce the configuration scope for a working solution.
I'll also comment, (and perhaps a bit of scope creap
To speak to real world assessment here - there's a big push across many
(US) gov't orgs and industry to deploy MFA. These requirements are not
new, but many have not been enforced due to lack of compliance
checks/certifications.
This is changing with new efforts in the US Gov't industry circles wi
I don't know of a great way to test this without pulling apart
p11_child, or using it as part of a pre-flight check somehow during the
package update. The problem here is you'd need a PKI cert to test that
preflight.
As a failsafe, a dialog during upgrade with a preflight check of
require_cert_au
I've opened this as a new bug here.
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using OpenSSL and p11-
This change had created a denial of service configuration bug for an
untold number of smart card configured (and smart card requires)
systems.
p11_child requires with the OpenSSL PEM full cert chain to function.
the NSSDB version does not.
So for folks that have configured the minimum in the NSSD
15 matches
Mail list logo