[Pkg-sssd-devel] Bug#861222: sssd-krb5 fails to use keyring as credential cache
Marek Szuba
scriptkiddie at wp.pl
Wed Apr 26 08:47:58 UTC 2017
Package: sssd-krb5
Version: 1.11.7-3
On a system using configured to use SSSD with LDAP as id_provider and
Krb5 as auth_provider, users cannot log in (via SSH) when the Linux
keyring is to be used as credential cache. The exact errors appearing in
syslog are:
***
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=127.0.0.1 user=johndoe
Credentials cache keyring 'persistent:12345:0' not found
Can't find client principal johndoe at MYREALM.COM in cache collection
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=127.0.0.1 user=johndoe
pam_sss(sshd:auth): received for user johndoe: 4 (System error)
Failed password for johndoe from 127.0.0.1 port 22222 ssh2
***
This happens both when the ticket cache is configured globally
(default_ccache_name = KEYRING:persistent:%{uid} in
krb5.conf/[libdefaults]) and when it is told to use the keyring
specifically in sssd.conf (krb5_ccname_template = KEYRING:persistent:%U
in the right realm declaration).
Only sssd seems to be affected, command-line Kerberos tools such as
kinit happily use the keyring.
According to sssd-krb5(5) on the affected systems, the version of sssd
provided in Jessie should support using the keyring.
After reverting the credential cache to files in /tmp, Kerberos
authentication in sssd works correctly.
I use Debian Jessie (specifically, version 8.7) on amd64, kernel
3.16.39-1+deb8u2 and libc6 2.19-18+deb8u7.
--
MS
More information about the Pkg-sssd-devel
mailing list