On Sun, 2009-11-15 at 08:22 -0500, Brian J. Murrell wrote: > On Wed, 2009-11-11 at 19:03 -0500, Simo Sorce wrote: > > > > I have tested this yesterday (with git master), if you set FILE:% > > d/krb5cc_%U sssd will happily refresh the crdentials at screen unlock. > > Ahhh. ~light bulb goes on~ I am finally coming around to what you are > saying. Wow. It's even more broken than I had feared. > > Certainly that the ccache filename gets regenerated on each > authentication is very not so nice. Even if each "session" had a > separate ccache courtesy of the _XXXXXX, it's imperative that each login > session (including klist, kinit, gnome-screensaver via sssd, etc.) all > use the same ccache file, all of the time. > > However, that said, I have tried removing the _XXXXXX uniqueness from > the ccache filename but that does not alleviate my issue here. I now > have: > > krb5_ccachedir = /tmp > ; krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX > krb5_ccname_template = FILE:%d/krb5cc_%U > > And yet I am still getting ccache files with the _XXXXXX postfix on > them. I have even rebooted completely to ensure that there is nothing > hanging around in memory causing this.
Brian, I told you 4 messages ago on this same very thread that the doc is wrong and the option is called krb5_ccname_tmpl, in the version you are using. It has been corrected and now it is called krb5_ccname_template only in master. > > Because sssd is generating a new one each time for now (yes it's a bug). > > Yeah, just coming around to that concept. Sorry for being so dense. > > > Well I think people were worried that using a predictable name (krb5cc_% > > U) could be used by malicious user to mount symlink race attacks. We > > have just copied what is already an available scheme for the krb5 > > libraries, although we might switch to a default of FILE:%d/krb5cc_%U > > for the 1.0 release to avoid issues. > > Hrm. Yeah. On my non-sssd (pam_krb5) machine here, it's also a krb5cc_ > %U_XXXXXX based filename, but everything here in an entire gnome-session > is using the same file, over and over again. Which is the right thing to do. > But I also note that on my non-sssd machines, every process has a > KRB5CCNAME environment variable, very likely simply through inheritance > from the process that started the entire login session. Yes that's how it works. > sssd logins don't seem to be setting this variable for the children to > inherit which is likely the root of all of this issue. Even a simple > ssh->sssd->bash does not populate the environment with a KRB5CCNAME > variable. It should be set by pam_sss, if it is not, please open a bug, and assign it to Sumit (sbose) Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel