On Wed, 2009-11-11 at 09:35 +0100, Sumit Bose wrote: > On Tue, Nov 10, 2009 at 11:36:45PM -0500, Brian J. Murrell wrote: > > On Mon, 2009-11-09 at 21:19 +0100, Sumit Bose wrote: > > > > > > Does this mean you are still seeing [Credentials cache I/O operation > > > failed XXX] in krb5_child.log? > > > > No. I am seeing nothing new at all in the krb5_child.log when > > authentications happen. > > > > > this indicates that everything is ok, please send krb5_child.log, if > > > possible with debug level 10. > > > > Even with debug level 10, there is nothing new in the krb5_child.log: > > > > $ ls -ltar /var/log/sssd/ > > total 420 > > -rw------- 1 root root 438 2009-11-09 09:23 krb5_child.log > > drwxr-xr-x 15 root root 4096 2009-11-10 07:41 .. > > drwxr-xr-x 2 root root 4096 2009-11-10 23:32 . > > -rw------- 1 root root 152408 2009-11-10 23:32 sssd_pam.log > > -rw------- 1 root root 238167 2009-11-10 23:32 sssd_KRB.log > > > > I have "debug_level = 10" in my [domain/KRB] as well as the [pam] > > section. > > > > Also, I asked previously why I would want per-login unique ccache files > > with: > > > > krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX > > > > but nobody answered. Do I really want this or is a single ccache file > > per user (i.e. drop the _XXXXXX in the template) not more ideal? > > > > b. > > > > ah, sorry, I misinterpreted your original post. I thought a ccache file > wasn't created at all when using gnome-screensaver. You are right, if > you use 'krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX' with the > current version every authentication will create a new ccache file. If > you want to renew the TGT with every authentication you have to use a > per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. > > We are currently discussing how to handle renewals in a more general way > so that it would be possible to renew FILE:%d/krb5cc_%U_XXXXXX-style > files too.
FYI: apparently the option is misdocumented and is called krb5_ccname_tmpl (not template), this should be fixed shortly. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel