#2115 Offline logins with krb5 keyring cache do not produce placeholder cache
Closed: Invalid None Opened 10 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1017180

Description of problem:
When performing an offline login with no existing credential cache (first login
after boot or after a kdestroy), the SSSD does not generate a pre-expired
placeholder cache.

Version-Release number of selected component (if applicable):
sssd-krb5-1.11.1-2.fc20.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. kdestroy
2. sudo killall -USR1 sssd (to force offline auth)
3. su - <username>
4. klist

Actual results:
The login succeeds with cached credentials, but the output of klist shows no
credential cache.

Expected results:
The login succeeds with cached credentials and the output of klist shows a
credential cache that expired long ago (actually the dawn of the epoch).

Additional info:
The primary reason for the placeholder cache is so that applications like
krb5-auth-dialog can monitor the cache and notify the user when it is updated
or expired.

Also, this appears to be related to the KEYRING:persistent cache only. When I
switched to 'krb5_ccname_template = FILE:/tmp/krb5cc_%U_XXXXXX" and followed
the above steps, the placeholder cache was properly created.

The issue is most likely will be addressed in the krb5-auth-dialog component rather than in SSSD.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
review: True => 0
selected: =>
testsupdated: => 0

krb5-auth-dialog patch was pushed. Closing.

resolution: => wontfix
status: new => closed

Metadata Update from @jhrozek:
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3157

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata