[Freeipa-users] SSSD Cache and Service Tickets

Discussion:

Ronald Wimmer

2017-05-15 13:54:22 UTC

Hi,

I am confronted with a behaviour for which I do not have an explanation for.

I am using NFS4 Kerberos automounted homeshares and and recently I got a
permission denied (reproducible when I restart autofs on the server I
want to connect to) from the Windows Domain. So here's what I tried:

1) Connected via PuTTY from a Windows Machine in the windows domain
Kerberos-based login works but I get a "Permission Denied" on my
home directory; klist shows no tickets

2) I try to connect form a Linux machine belonging to the IPA domain
Kerberos-based login works, I can also access my home directory;
klist shows nfs/***@IPADOMAIN.AT and the krbtgt for
the windows domain

3) Now - of course - using the homeshares works from both domains
windows and ipa

4) When I do a kdestroy on the machine, using the homeshare when logged
in from windows still works -
My question is WHY? Does SSSD cache the NFS ticket?
(and why don't I get an nfs ticket when coming from the windows
domain?)

Regards

Ronald

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jakub Hrozek

2017-05-15 19:27:48 UTC

Permalink

First, I'm sorry if this mail is not helpful enough, I'm really just replying
to the part I'm familiar with

Post by Ronald Wimmer
Hi,
I am confronted with a behaviour for which I do not have an explanation for.
I am using NFS4 Kerberos automounted homeshares and and recently I got a
permission denied (reproducible when I restart autofs on the server I want
1) Connected via PuTTY from a Windows Machine in the windows domain
Kerberos-based login works but I get a "Permission Denied" on my home
directory; klist shows no tickets

No tickets at all? Not even an expired ticket?

Does running klist in cmd.exe show anything?

Post by Ronald Wimmer
2) I try to connect form a Linux machine belonging to the IPA domain
Kerberos-based login works, I can also access my home directory;
windows domain
3) Now - of course - using the homeshares works from both domains windows
and ipa
4) When I do a kdestroy on the machine, using the homeshare when logged in
from windows still works -
My question is WHY? Does SSSD cache the NFS ticket?

It does not. The only code in SSSD that caches anything Kerberos related
is the KRB5CCNAME variable value.

Post by Ronald Wimmer
(and why don't I get an nfs ticket when coming from the windows domain?)

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Ronald Wimmer

2017-05-16 09:30:25 UTC

Permalink

Post by Jakub Hrozek
[...]

No tickets at all? Not even an expired ticket?

Unfortunately no tickets.

Post by Jakub Hrozek
Does running klist in cmd.exe show anything?

Yes, it does:
-bash-4.2$ klist
klist: Credentials cache keyring 'persistent:1073895519:1073895519' not
found

And again... If I connect from my linux machine (within the ipa domain),
tickets are there:

-bash-4.2$ klist
Ticket cache: KEYRING:persistent:1073895519:1073895519
Default principal: ***@MYWINDOWDOMAIN.AT

Valid starting Expires Service principal
2017-05-16 11:29:04 2017-05-16 15:43:45
nfs/***@MYIPADOMAIN.AT
2017-05-16 11:25:09 2017-05-16 15:43:45
krbtgt/***@MYWINDOWDOMAIN.AT
renew until 2017-05-16 15:43:45

From this point on login from windows (AD domain) does - of course - work.

Any ideas how to bring some light into this?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project