On Wed, 2009-11-11 at 09:35 +0100, Sumit Bose wrote: > > ah, sorry, I misinterpreted your original post. I thought a ccache file > wasn't created at all when using gnome-screensaver.
No, you didn't mis-interpret I don't think. Here's what happened: 1. Logged into gnome, got a ccache file 2. Noticed that unlocking the screen with gnome-screensaver and notice that tickets are not refreshed 1. in fact I noticed tickets were not being refreshed because eventually, all of my kerberos authorized services (i.e. imap) were failing with expired tickets despite having unlocked my screen many times prior 3. Removed all ccache files 4. Locked screen with gnome-screensaver 5. Successfully unlocked screen with password 6. Observed that the expected ccache file was not re-created by the gnome-screensaver unlocking process Removing the ccache file(s) was just an effort to further prove that sssd via gnome-screensaver is not renewing tickets. If it were, wouldn't it have created a new ccache file, just like: $ kinit $ rm $ccache_file $ kinit would? > You are right, if > you use 'krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX' with the > current version every authentication will create a new ccache file. No. Every unique login will create a new ccache file. A gnome desktop user logged in gets a single ccache ticket which every application in the session will use. But that also means that a gnome-screensaver authentication will (re-)use that same ccache file. > If > you want to renew the TGT with every authentication you have to use a > per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. I don't think so. I think even a per-login-session ccache file that will be created by a gnome session should work if sssd is correctly renewing the TGT, because the same ccache file that was created by gdm should be updated by gnome-screensaver. > We are currently discussing how to handle renewals in a more general way > so that it would be possible to renew FILE:%d/krb5cc_%U_XXXXXX-style > files too. I really don't see why these FILE:%d/krb5cc_%U_XXXXXX-style files would not renew in the context of a gnome session. On the other hand, I don't really see the purpose of FILE:%d/krb5cc_% U_XXXXXX-style files where every login session is a new ccache. Can anyone share a use-case where this is needed? b.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel