[Freeipa-users] Where in the login process is KRB5CCNAME being set
Jakub Hrozek
jhrozek at redhat.com
Wed Feb 8 09:11:07 UTC 2017
On Wed, Feb 08, 2017 at 09:59:52AM +0100, Kees Bakker wrote:
> Hi,
>
> This is a follow-up on the problem I had with
> klist: Invalid UID in persistent keyring name while getting default ccache
> (See "How to enable krb5_child log" earlier this month.)
>
> The situation is that we have local users with the same name that exist in IPA,
> but the UIDs are different. We have this on several systems, and it is because
> we are in the process of setting up a FreeIPA server.
>
> Now (so far), on one system the environment variable KRB5CCNAME is set during
> login. (Login via display manager or console, does not matter. If logged via SSH
> then the variable is not set.)
>
> My question: where / how is that variable being set? I'd like to understand why
> this one system is different from the rest.
The variable is set by pam_sss.so during the authentication phase.
I suspect the difference might be in the PAM stack -- maybe on the
systems where KRB5CCNAME is not set, the PAM stack is configured using
pam_localuser.so so that if the username exists in /etc/passwd, only
pam_unix.so is tried?
>
> Other details: Ubuntu 16.04 (server and clients).
>
> BTW. The klist / kinit problem can easily be solved by unsetting that environment
> variable.
> --
> Kees
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list