Bug 979206
| Summary: | Cannot log in as AD domain user. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> |
| Component: | realmd | Assignee: | Stef Walter <stefw> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | abokovoy, asn, dpal, gdeschner, jhrozek, jlayton, sbose, ssorce, stefw, yelley |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-07-10 15:53:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Woodhouse
2013-06-27 23:25:32 UTC
I leave the domain and rejoin it, and now it works. However, I don't get a Kerberos TGT when I log in: [root@dwoodhou-mobl3 ~]# ssh dwoodhou@localhost dwoodhou@localhost's password: Last login: Fri Jun 28 00:45:11 2013 from localhost [dwoodhou@dwoodhou-mobl3 ~]$ klist klist: No credentials cache found (ticket cache DIR::/run/user/10000/krb5cc/tkt) [dwoodhou@dwoodhou-mobl3 ~]$ You need to correctly configure pam_winbind to get kerberos tickets! This might be a realmd issue not a samba issue. I will reopen bug and re-assign to realmd to triage. It might be a realmd issue. It didn't add the krb5_auth option to the pam configuration. But even when I did that manually, and also krb5_ccache_type=FILE, it still didn't actually get me a TGT. Since this is now assigned to realmd: there *is* a realmd issue too. Running 'kinit dwoodhou' was sufficient to make 'realm join' work without a password when I was using SSSD. But with --client-software=winbind it didn't work; I was still asked for a password and had to provide the '-U dwoodhou' argument. The failure to obtain a TGT after I edited the PAM config manually may have been user error. Trying again, it does seem to work now.
However, there are still issues on the winbind side. Firstly, it seems to put the credentials cache in the old location of /tmp/krb5cc_%{uid}. I have to set default_ccache_name in /etc/krb5.conf to match that, or I don't see my credentials when I run 'su dwoodhou' (or, presumably, run things from cron).
Secondly, there is some strangeness with refreshing credentials when I re-authenticate. I logged in to GDM last night and left it, and when I came back in the morning I saw (before unlocking the screen) that it had successfully renewed the TGT. However, when I unlocked the screen, my credentials cache *disappeared*. And was not restored. Trying to reproduce that one now with winbindd at log level 10...
The original issue went away on rejoining the domain, and I have not been able to reproduce it. Everything else mentioned here is also filed elsewhere, I think:
- winbind using /tmp/krb5cc_%{uid} wants a separate bug if the answer to
https://bugzilla.redhat.com/show_bug.cgi?id=796429#c2 is 'no'.
- creds cache being deleted is bug 981033
- 'realm join' not working with Kerberos auth is being handled in bug 976593
- realmd's failure to configure pam_winbind properly is bug 983153
|