On Mon, 20 Mar 2023 09:27:39 -0300
Andreas Hasenack <andr...@canonical.com> wrote:
> The extra randomness suffix happens when you login via ssh/gssapi.
That is exactly how I'm logging in, authenticating credentials with
MS Active Directory, with configuration set in /etc/sssd/sssd.conf
and /etc/krb5.conf -- after joining with the "realm" command.
Winbind is not involved. And /etc/samba/smb.conf is involved only in
so far as setting "server role = member server" and
"kerberos method = secrets and keytab" (and realm and workgroup).
But smb.conf is involved only in so far as it is needed to mount
shares with a type of smb3 and sec=krb5.
Without making any changes to smb.conf I can login and
see the a credential cache file in /tmp/ with the extra randomness
suffix. So the addition of the suffix does not seem to involve
smb.conf.
To be honest, I'm unclear on the involvement of gssapi. There's
nothing in /etc/pam.d/ which invokes pam_sss_gss.so, and there's nothing
explicit in /etc/sssd/sssd.conf mentioning gss. And sssd.conf(5)
seems to indicate that gssapi is not used unless explicitly configured.
So, without really knowing what gssapi does, I dont' see it being
called. Yet I believe I've
seen log entries, or something, at some point while I was doing lots
of poking with a stick, that mentioned gssapi. I suppose I could be
wrong. Yup, here's a sample (there are other log entries from auditd):
sssd[15755]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server not found in Kerberos
database.
There are also various messages involving adcli, and some from
ldap_child.
Thanks for the help.
>
> On Sun, Mar 19, 2023 at 9:09 PM Benjamin Kaduk <ka...@mit.edu> wrote:
> >
> > Hmm, on my local machines (one running Debian, one running Ubuntu)
> > I appear to be seeing the expected default /tmp/krb5cc_%{uid}
> > behavior. I couldn't quite follow how your credentials were
> > obtained; were they perhaps obtained as part of the login process?
> > The PAM configuration might well be relevant in that case.
> >
> > -Ben
> >
>
Regards,
Karl <k...@karlpinc.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
