URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented: """ > while testing this PR it looks like `KRB5CCNAME` is not respected. If there > user uses a different ccache type as defined in `/etc/krb5.conf` or if with > `default_ccache_name = FILE:/tmp/krb5cc_%{uid}_XXXXXX` the ccache name has a > random component authentication does not work. Hmm, nice catch. Unfortunately sudo resets the environment before PAM invocation so KRB5CCNAME is not available for the PAM module. It can be made available by adding it to env_keep in /etc/sudoers but this will also make it available in the called process and this is probably not what we want so we will have to patch sudo to keep this variable for PAM. I'll ask sudo upstream what are our options. However, even if the variable is available, gssapi uses the default location: pam_sss_gss: Initializing GSSAPI authentication with SSSD pam_sss_gss: Switching euid from 0 to 91600000 pam_sss_gss: Trying to establish security context pam_sss_gss: User domain: ipa.vm, Target name: h...@master.client.vm pam_sss_gss: Unable to establish GSS context [maj:0xd0000, min:0x96c73a8d] pam_sss_gss: GSSAPI: Unspecified GSS failure. Minor code may provide more information pam_sss_gss: GSSAPI: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_91600000_XXXXXX) pam_sss_gss: Switching euid from 91600000 to 0 pam_sss_gss: KRB5CCNAME=FILE:/tmp/krb5cc_91600000_nSfT3j pam_sss_gss: System error [5]: Input/output error @frozencemetery Is there any gssapi call I should call to make it use this variable? """ See the full comment at https://github.com/SSSD/sssd/pull/5367#issuecomment-734305838
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org