[Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

Simo Sorce simo at redhat.com
Thu Jun 30 16:20:23 UTC 2016 

On Thu, 2016-06-30 at 18:16 +0200, Lukas Slebodnik wrote:
> On (30/06/16 15:38), Sumit Bose wrote:
> >On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai.ext at orange.com wrote:
> >> Hello,
> >> 
> >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
> >> 
> >> -          ipa-admintools-3.0.0-47
> >> 
> >> -          ipa-client-3.0.0-47
> >> 
> >> -          sssd-ipa-1.11.6-30
> >> 
> >> 
> >> According with the following documentation, our users are automatically authenticated to Kerberos at every login :
> >> https://www.freeipa.org/page/Kerberos
> >> "When SSSD project is used, the ticket is get for a user automatically as he authenticates to client machine."
> >> 
> >> It's working pretty well but some of our users are using nominative accounts for ssh connection then access to Hadoop with an applicative keytab...
> >> We are agreed than we have to perform a kinit at every connection but when theses users work on several sessions they lose the applicative account ticket :(
> >
> >If you use credential cache collections (type DIR: or KEYTAB:) SSSD
> According to versions of sssd, it looks like el6.
> And KEYRING collection ccache is not on el6.
> I'm not sure about DIR collection ccache.

Correct RHEL6 has no support for keyring ccaches, only RHEL7.

> >would only update the individual cache matching the user principal
> >stored in IPA. The caches for other principals would persist. But if the
> >principal in the applicative keytab is from the same Kerberos realm you
> >still might need to use the 'kswitch' command to set the primary
> >principal. But it should be sufficient to call it only once because the
> >information is stored in the collection and not overwritten by SSSD.
> >
> >If this does not work the affected users can add something like:
> >
> >    export KRB5CCNAME=$HOME/my_cc_cache
>                       ^
>                     Is FILE: considered as default or it need to be
>                     written as well for KRB5CCNAME

If no ccache type is specified the krb5 libs default to the FILE ccache
type.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list