Red Hat Bugzilla – Bug 1017180
Offline logins with krb5 keyring cache do not produce placeholder cache
Last modified: 2014-10-06 08:58:19 EDT
Description of problem:
When performing an offline login with no existing credential cache (first login after boot or after a kdestroy), the SSSD does not generate a pre-expired placeholder cache.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
2. sudo killall -USR1 sssd (to force offline auth)
3. su - <username>
The login succeeds with cached credentials, but the output of klist shows no credential cache.
The login succeeds with cached credentials and the output of klist shows a credential cache that expired long ago (actually the dawn of the epoch).
The primary reason for the placeholder cache is so that applications like krb5-auth-dialog can monitor the cache and notify the user when it is updated or expired.
Also, this appears to be related to the KEYRING:persistent cache only. When I switched to 'krb5_ccname_template = FILE:/tmp/krb5cc_%U_XXXXXX" and followed the above steps, the placeholder cache was properly created.
Why do you need that with a kernel keyring ?
Upstream ticket was closed as wontfix. (https://fedorahosted.org/sssd/ticket/2115)