Red Hat Bugzilla – Bug 1264389
The ~/.k5identity file is ignored by kinit
Last modified: 2015-09-18 09:16:34 EDT
Description of problem:
The ~/.k5identity file is ignored by kinit. I think it shouldn't be, because the ccselect plugin with k5identity module seems to be built-in and not disabled.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. useradd user1
2. su - user1
3. echo user2@EXAMPLE.COM > ~/.k5identity
kinit: Client 'user1@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
Credentials acquired for user2@EXAMPLE.COM.
Explicit specification of user works, e.g. the following works:
$ kinit user2
It seems the ~/.k5identity file is not read:
$ strace -fo trace kinit
$ grep k5identity trace
Also no ~/.* file is accessed:
$ grep open trace
According to the documentation (e.g. man krb5.conf), the built-in k5identity module of ccselect interface "Uses a .k5identity file in the user's home directory to select a client principal".
kinit doesn't use krb5_cc_select() function which is the entry point to call ccselect plugins. Only GSSAPI is doing that via kg_cred_resolve() internally, so only code using GSSAPI (gss_init_sec_context() or gss_accept_sec_context()) would be using ccselect interface.
You can check that ccselect interface is indeed called by GSSAPI by running gss-server/gss-client pair:
1. Start a server:
# KRB5_TRACE=/dev/stderr gss-server -keytab /etc/krb5.keytab -verbose host
2. Start a client:
$ KRB5_TRACE=/dev/stderr strace gss-client `hostname` host foo 2>&1|grep k5identity
open("/home/abokovoy/.k5identity", O_RDONLY) = 5
write(4, " 1442575560.404298: ccsel"..., 193 1442575560.404298: ccselect module k5identity chose cache KEYRING:persistent:1000:krb_ccache_DQayVgb with client principal abokovoy@VDA.LI for server principal host/onega.vda.li@VDA.LI
Thanks for info. Is there any way how to setup it to work with different local user name in Red Hat network? My local user name is different from my kerberos user name and I would like to do just 'kinit' not 'kinit KRB_USR_NAME'. I was unable to find anything related in the documentation (not counting .k5identity), but maybe I just haven't looked carefully.
Yes, just use recent SSSD as Jakub explains in his blog post: https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling-kinit-with-sssds-help/
OK thanks for info. I thought such functionality is in kerberos or that it's possible to do it with some auth_to_local mapping magic. But I wasn't successful to setup it. I can also create shell alias or add shell wrapper in case it's not directly possible in kerberos. Process/close this bug at your discretion.