I'm trying to understand how the newer KEYRING:persistent cache is working
in relation to interactive and GSSAPI SSO.
Using Centos 6.4 and 7.1.
My 7.x box is using the default configuration of:
default_ccache_name = KEYRING:persistent:%{uid}
Please take a look at the below session. What we see is that when
performing an interactive login (no tickets) from centos64 to centos71, a
persistent cache is seemingly not created (or at least not found).
However, if I initialize a ticket via kinit for my user and then SSH using
GSSAPI it appears to have initialized the persistent cache.
Obviously this is problematic because it means the first interactive login
to a 7.x box fails to create a cache and thus can't get a ticket for future
SSO operations.
It appears that if I manually kinit following the first login the
persistent cache is created.
Why is not cached initialized on interactive login and an additional manual
kinit is required?
thanks!
[root@centos64-01 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@centos64-01 ~]# ssh [email protected]
Password:
Last login: Wed Jun 24 14:59:06 2015 from centos64-01.spptech.com
[sppuser@centos71-01 ~]$ klist
klist: Credentials cache keyring 'persistent:402243354:402243354' not found
[sppuser@centos71-01 ~]$ exit
logout
Connection to centos71-01.spptech.com closed.
[root@centos64-01 ~]# kinit sppuser
Password for [email protected]:
[root@centos64-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
06/24/15 14:59:34 06/25/15 00:59:37 krbtgt/[email protected]
renew until 07/01/15 14:59:34
[root@centos64-01 ~]# ssh [email protected]
Last login: Wed Jun 24 14:59:21 2015 from centos64-01.spptech.com
[sppuser@centos71-01 ~]$ klist
Ticket cache: KEYRING:persistent:402243354:402243354
Default principal: [email protected]
Valid starting Expires Service principal
06/24/2015 14:59:49 06/25/2015 00:59:37 krbtgt/[email protected]
renew until 07/01/2015 14:59:34
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
