Hide Forgot
Description of problem: If a Kerberos credential cache collection is used the ssh client does not use the current primary credential cache but pick a different one: [root@vm-197 ~]# kdestroy -A [root@vm-197 ~]# klist -A [root@vm-197 ~]# kinit admin Password for admin: [root@vm-197 ~]# kinit Administrator Password for Administrator: [root@vm-197 ~]# klist Ticket cache: DIR::/run/user/0/krb5cc/tktLm9rKl Default principal: Administrator Valid starting Expires Service principal 27.11.2013 11:25:23 27.11.2013 21:25:23 krbtgt/SUBDOM.SUB renew until 28.11.2013 11:25:16 [root@vm-197 ~]# klist -l Principal name Cache name -------------- ---------- Administrator DIR::/run/user/0/krb5cc/tktLm9rKl admin DIR::/run/user/0/krb5cc/tktk9sv02 [root@vm-197 ~]# ssh -l Administrator vm-197.idm.lab.eng.brq.redhat.com Administrator@vm-197.idm.lab.eng.brq.redhat.com's password: [root@vm-197 ~]# klist -A Ticket cache: DIR::/run/user/0/krb5cc/tktLm9rKl Default principal: Administrator Valid starting Expires Service principal 27.11.2013 11:25:23 27.11.2013 21:25:23 krbtgt/SUBDOM.SUB renew until 28.11.2013 11:25:16 Ticket cache: DIR::/run/user/0/krb5cc/tktk9sv02 Default principal: admin Valid starting Expires Service principal 27.11.2013 11:25:18 28.11.2013 11:25:16 krbtgt/IPASB.SBOSE 27.11.2013 11:25:48 28.11.2013 11:25:16 host/vm-197.idm.lab.eng.brq.redhat.com The host ticket is obtained for admin although Administrator is the primary one and should be used in this case. Version-Release number of selected component (if applicable): openssh-6.2p2-6.fc19 (looks like newer versions in F20 and F21 are affected as well) Actual results: Wrong ccache is used by ssh client Expected results: ssh client should use the primary credential cache in a credential cahce collection. Additional info: I rebuild openssh-6.4p1-2 from F20 on the same F19 host and found the same issue. So it looks that newer version of openssh are affected as well.
I've done some dicussion with Simo and he pointed out that this is expected behavior for Kerberos credentials cache collections as described at http://k5wiki.kerberos.org/wiki/Projects/Client_principal_selection What we need to do is to convert this bug into documentation bug for Kerberos. At the very least, this change of the behavior due to introduction of the ccache collections should go to release notes (Fedora 20 and RHEL7). We'll track it at bug #1034958 for RHEL7. This bug can be used to track it for Fedora.
wrong component.
(In reply to Alexander Bokovoy from comment #1) > What we need to do is to convert this bug into documentation bug for > Kerberos. At the very least, this change of the behavior due to introduction > of the ccache collections should go to release notes (Fedora 20 and RHEL7). What documentation do you plan to extend? FreeIPA User Guide? Or Kerberos documentation? This issue does not seem FreeIPA-specific to me, so I rather ask.
Three places: - Kerberos documentation, making clear how cache collections work. - FreeIPA guide, AD trusts chapter, making clear how ccache collections affect cross-realm operations. - Release notes of the product, pointing to Kerberos documentation changes.
Makes sense. Feel free to clone this Bugzilla also to other components of the product.
I see no response, moving to documentation component myself.
Mass closure. These bugs were live in RHEL 6.5.