Bug 1017180 - Offline logins with krb5 keyring cache do not produce placeholder cache
Offline logins with krb5 keyring cache do not produce placeholder cache
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
x86_64 Linux
unspecified Severity low
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
: Regression
Depends On: 1017292 1146827
  Show dependency treegraph
Reported: 2013-10-09 07:43 EDT by Stephen Gallagher
Modified: 2014-10-06 08:58 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-10-06 08:58:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2013-10-09 07:43:34 EDT
Description of problem:
When performing an offline login with no existing credential cache (first login after boot or after a kdestroy), the SSSD does not generate a pre-expired placeholder cache.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. kdestroy
2. sudo killall -USR1 sssd (to force offline auth)
3. su - <username>
4. klist

Actual results:
The login succeeds with cached credentials, but the output of klist shows no credential cache.

Expected results:
The login succeeds with cached credentials and the output of klist shows a credential cache that expired long ago (actually the dawn of the epoch).

Additional info:
The primary reason for the placeholder cache is so that applications like krb5-auth-dialog can monitor the cache and notify the user when it is updated or expired.

Also, this appears to be related to the KEYRING:persistent cache only. When I switched to 'krb5_ccname_template = FILE:/tmp/krb5cc_%U_XXXXXX" and followed the above steps, the placeholder cache was properly created.
Comment 1 Jakub Hrozek 2013-10-09 07:44:43 EDT
Upstream ticket:
Comment 2 Simo Sorce 2014-09-26 11:35:31 EDT
Why do you need that with a kernel keyring ?
Comment 3 Lukas Slebodnik 2014-10-06 08:58:19 EDT
Upstream ticket was closed as wontfix. (https://fedorahosted.org/sssd/ticket/2115)

Note You need to log in before you can comment on or make changes to this bug.