Bug 1017180

Summary: Offline logins with krb5 keyring cache do not produce placeholder cache
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 20CC: abokovoy, jhrozek, lslebodn, pbrezina, rmainz, sbose, sgallagh, ssorce
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-06 12:58:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1017292, 1146827    
Bug Blocks:    

Description Stephen Gallagher 2013-10-09 11:43:34 UTC 
Description of problem:
When performing an offline login with no existing credential cache (first login after boot or after a kdestroy), the SSSD does not generate a pre-expired placeholder cache.

Version-Release number of selected component (if applicable):
sssd-krb5-1.11.1-2.fc20.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. kdestroy
2. sudo killall -USR1 sssd (to force offline auth)
3. su - <username>
4. klist

Actual results:
The login succeeds with cached credentials, but the output of klist shows no credential cache.

Expected results:
The login succeeds with cached credentials and the output of klist shows a credential cache that expired long ago (actually the dawn of the epoch).

Additional info:
The primary reason for the placeholder cache is so that applications like krb5-auth-dialog can monitor the cache and notify the user when it is updated or expired.

Also, this appears to be related to the KEYRING:persistent cache only. When I switched to 'krb5_ccname_template = FILE:/tmp/krb5cc_%U_XXXXXX" and followed the above steps, the placeholder cache was properly created.
Comment 1 Jakub Hrozek 2013-10-09 11:44:43 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2115
Comment 2 Simo Sorce 2014-09-26 15:35:31 UTC 
Why do you need that with a kernel keyring ?
Comment 3 Lukas Slebodnik 2014-10-06 12:58:19 UTC 
Upstream ticket was closed as wontfix. (https://fedorahosted.org/sssd/ticket/2115)