[Pkg-sssd-devel] Bug#861222: sssd-krb5 fails to use keyring as credential cache

[Marek Szuba]

Package: sssd-krb5
Version: 1.11.7-3

On a system using configured to use SSSD with LDAP as id_provider and
Krb5 as auth_provider, users cannot log in (via SSH) when the Linux
keyring is to be used as credential cache. The exact errors appearing in
syslog are:

***

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=127.0.0.1 user=johndoe

Credentials cache keyring 'persistent:12345:0' not found

Can't find client principal johndoe at MYREALM.COM in cache collection

pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=127.0.0.1 user=johndoe

pam_sss(sshd:auth): received for user johndoe: 4 (System error)
Failed password for johndoe from 127.0.0.1 port 22222 ssh2

***

This happens both when the ticket cache is configured globally
(default_ccache_name = KEYRING:persistent:%{uid} in
krb5.conf/[libdefaults]) and when it is told to use the keyring
specifically in sssd.conf (krb5_ccname_template = KEYRING:persistent:%U
in the right realm declaration).

Only sssd seems to be affected, command-line Kerberos tools such as
kinit happily use the keyring.

According to sssd-krb5(5) on the affected systems, the version of sssd
provided in Jessie should support using the keyring.

After reverting the credential cache to files in /tmp, Kerberos
authentication in sssd works correctly.


I use Debian Jessie (specifically, version 8.7) on amd64, kernel
3.16.39-1+deb8u2 and libc6 2.19-18+deb8u7.

-- 
MS