[Freeipa-users] SSSD Cache and Service Tickets
Jakub Hrozek
jhrozek at redhat.com
Mon May 15 19:27:48 UTC 2017
First, I'm sorry if this mail is not helpful enough, I'm really just replying
to the part I'm familiar with
On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote:
> Hi,
>
> I am confronted with a behaviour for which I do not have an explanation for.
>
> I am using NFS4 Kerberos automounted homeshares and and recently I got a
> permission denied (reproducible when I restart autofs on the server I want
> to connect to) from the Windows Domain. So here's what I tried:
>
> 1) Connected via PuTTY from a Windows Machine in the windows domain
> Kerberos-based login works but I get a "Permission Denied" on my home
> directory; klist shows no tickets
No tickets at all? Not even an expired ticket?
Does running klist in cmd.exe show anything?
>
> 2) I try to connect form a Linux machine belonging to the IPA domain
> Kerberos-based login works, I can also access my home directory;
> klist shows nfs/ipanfs.ipadomain.at at IPADOMAIN.AT and the krbtgt for the
> windows domain
>
> 3) Now - of course - using the homeshares works from both domains windows
> and ipa
>
> 4) When I do a kdestroy on the machine, using the homeshare when logged in
> from windows still works -
> My question is WHY? Does SSSD cache the NFS ticket?
It does not. The only code in SSSD that caches anything Kerberos related
is the KRB5CCNAME variable value.
> (and why don't I get an nfs ticket when coming from the windows domain?)
More information about the Freeipa-users
mailing list