[37119] in Kerberos
help with persistent ccache
daemon@ATHENA.MIT.EDU (Ben H)
Wed Jun 24 16:10:20 2015
MIME-Version: 1.0
Date: Wed, 24 Jun 2015 15:10:05 -0500
Message-ID: <CAAd7aub2Fgv3_cfVh193ueXyH6jL8JKHF3_sM2=XOjgKFKHgyA@mail.gmail.com>
From: Ben H <bhendin@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm trying to understand how the newer KEYRING:persistent cache is working
in relation to interactive and GSSAPI SSO.
Using Centos 6.4 and 7.1.
My 7.x box is using the default configuration of:
default_ccache_name = KEYRING:persistent:%{uid}
Please take a look at the below session. What we see is that when
performing an interactive login (no tickets) from centos64 to centos71, a
persistent cache is seemingly not created (or at least not found).
However, if I initialize a ticket via kinit for my user and then SSH using
GSSAPI it appears to have initialized the persistent cache.
Obviously this is problematic because it means the first interactive login
to a 7.x box fails to create a cache and thus can't get a ticket for future
SSO operations.
It appears that if I manually kinit following the first login the
persistent cache is created.
Why is not cached initialized on interactive login and an additional manual
kinit is required?
thanks!
[root@centos64-01 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@centos64-01 ~]# ssh sppuser@centos71-01.spptech.com
Password:
Last login: Wed Jun 24 14:59:06 2015 from centos64-01.spptech.com
[sppuser@centos71-01 ~]$ klist
klist: Credentials cache keyring 'persistent:402243354:402243354' not found
[sppuser@centos71-01 ~]$ exit
logout
Connection to centos71-01.spptech.com closed.
[root@centos64-01 ~]# kinit sppuser
Password for sppuser@SPPTECH.COM:
[root@centos64-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sppuser@SPPTECH.COM
Valid starting Expires Service principal
06/24/15 14:59:34 06/25/15 00:59:37 krbtgt/SPPTECH.COM@SPPTECH.COM
renew until 07/01/15 14:59:34
[root@centos64-01 ~]# ssh sppuser@centos71-01.spptech.com
Last login: Wed Jun 24 14:59:21 2015 from centos64-01.spptech.com
[sppuser@centos71-01 ~]$ klist
Ticket cache: KEYRING:persistent:402243354:402243354
Default principal: sppuser@SPPTECH.COM
Valid starting Expires Service principal
06/24/2015 14:59:49 06/25/2015 00:59:37 krbtgt/SPPTECH.COM@SPPTECH.COM
renew until 07/01/2015 14:59:34
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
