On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
I am confronted with a relatively strange behaviour regarding ipa and
automounting. We are using automounted home shares on some of our
systems.
On two almost identical systems I cannot chdir (permission denied) to
user A's home directory on server 1 but chdir to user B's home
directory works. On server 2 it is the exact opposite. On a third
server chdir does not work for both users.
A manual "kinit userA" seems to solve the problem as the user had no
Kerberos credentials? But why? Why was a Kerberos ticket not fetched
automatically?
How did the user login to the system?
SSH.
Sometimes I did a "su - myIpaUser" from a root shell. Is this supposed
to work or does it only work when the user has a valid ticket (from a
previous login)?
The latter.
(Does it make a difference when I have no Kerberos ticket on the
originating system and I am forced to enter the users password upon
login? Both cases should result in obtaining a Kerberos ticket,
shouldn't they?)
It depends. A lot, actually:
- If your SSH client allows forwarding a TGT and KDC allows it too,
then login with Kerberos ticket to SSH server might give you a
working TGT on the server side. SSSD on the server side is not
involved here as Kerberos authentication is handled completely by SSH
server.
- if you login with password over SSH and you have PAM authentication
enabled in SSH server configuration, SSSD might get you a new
Kerberos ticket in the user's ccache on the server side.
In either case, 'su - ...' is not giving you any Kerberos ticket unless
it exists already in the target environment. For example, if your system
is configured to use session-specific KEYRING credentials cache
collection, then 'su - ...' will never be able to access user's ccache
from another session. A default in RHEL 7 is to use KEYRING with
persistent ccache, not session-specific one. A default in RHEL 8 is to
use KCM: which is also persistent and gives access to user's ticket from
any session he/she did open.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
