search for: default_ccache_name

/Hello, i m playing around with MIT kerberos at moment and got the problem that openssh do not honor the "default_ccache_name" variable in /etc/krb5.conf. It looks like the FILE based credential cache is hardcoded and openssh set KRB5CCNAME to it, but i would like to use the KEYRING cache. Is there any way to tell ssh to use the cache set in "default_ccache_name"? /Many thanks in advance and best regard...

https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Bug ID: 3203 Summary: Could default_ccache_name from krb5.conf be used for GSSAPI connections? Product: Portable OpenSSH Version: 8.3p1 Hardware: ix86 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Kerberos support...

...incipals using my ticket, achieving SSO. *I wanted to see if I could make the cache file user-specific, instead of the default location (/tmp/krb5cc-blabla).* I configured sssd.conf with: krb5_ccachedir = %h krb5_ccname_template = FILE:%d/.krb5cc_%U I configured krb5.conf with: [libdefaults] default_ccache_name = FILE:/home/%{username}/.krb5cc_%{uid} My sshd_config has the following: KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes UseDNS yes *What I noticed:* When I ssh to the host I can see...

On 6/6/2024 8:26 AM, Dave Macias wrote: > *I wanted to see if I could make the cache file user-specific, instead of > the default location (/tmp/krb5cc-blabla).* SSH is creating a separate ticket cache file for each login session and owned by the user. This has been the preferred way to do this for decades. https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd Your: "Ticket

Thank you both for the replies and explanation! @douglas Can i set?KRB5CCNAME somewhere so that it uses /home? Where? But even if i could set the env variable i have this odd behavior: I now have 4 vms running. 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post. From the 4 vms, when I ssh into them, 2 of them set a cache file in the users home and the

...ture broke times before by varia reasons > "just a shot in the dark", if you use kerberos tickets in /tmp then > stuff changed in 18.04 this also broke our cifs automounter > see here > https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/ > i did > default_ccache_name = FILE:/tmp/krb5cc_%{uid} > in /etc/krb5.conf > to fix our problem Thanks you very much for your answer! I tried to set default_ccache_name in /etc/krb5.conf as you suggest above but "lpr" still asks "Password for [myuser] on localhost?". My CIFS mount works fine (as be...

...ber ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM Looks like krb5.conf is unconfigured. Is there a Samba guide as to how this should be configure...

I have not looked at Kerberos is years. But it looks like KRB5CCNAME comes from: https://github.com/openssh/openssh-portable/blob/master/gss-serv-krb5.c#L134-L197 But it depends on which version of Kerberos you have, and if you are also use PAM. Google for: heimdal kerberos cache name It looks like there is now a SSSD Kerberos Cache Manager rather then storing in individual file. On 6/11/2024

Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below: > for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done rocky8client.domain.net Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa Default

...ingly ignores the kerberos ccache as configured in krb5.conf when using "krb5-user" as the kerberos package and will instead always default to using "FILE:/tmp/krb5cc_uid". I tested each valid default ccache name type but smbclient completely ignores whatever is set as the "default_ccache_name" in the conf file. I went on to test "heimdal-clients" as the kerberos package and smbclient appears to be using the ccache that is configured in the conf file. This behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5. Swapping krb5-user for heimdal-clients is not a des...

...ot; ccache types would work with heimdal. Continuing on... The heimdal variant of kerberos uses a different parameter name for the default ccache name property than what is used by krb5-user. In heimdal the parameter name is "default_cc_name" and in krb5-user the parameter name is "default_ccache_name". I was throwing the kitchen sink at the problem this morning and so, with krb5-user installed, I decided to try substituting the parameter name spelling to the heimdal parameter name. So in the krb5.conf I used "default_cc_name = KEYRING:persistent:%{uid}" instead of "default_c...

...LE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM # Utile ou pas ? default_realm = STUDELEC-SA.COM dns_lookup_kdc = true default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM

...;> "just a shot in the dark", if you use kerberos tickets in /tmp then >>> stuff changed in 18.04 this also broke our cifs automounter >>> see here >>> https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/ >>> i did >>> default_ccache_name = FILE:/tmp/krb5cc_%{uid} >>> in /etc/krb5.conf >>> to fix our problem >> >> I tried to set default_ccache_name in /etc/krb5.conf as you suggest above but "lpr" still asks "Password for [myuser] on localhost?". >> My CIFS mount works fine (as...

Hello, After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb). In 16.04 I can just type "lpr file.pdf", but when doing this in 18.04 I get "Password for [myuser] on localhost?" and it expects me to type

.../usr/local/samba/var/locks/sysvol read only = No [home] comment = Directorios Personales path = /home/usuarios read only = No Kerberos are work fine krb5.conf: [libdefaults] default_realm = DOMINIO.MTZ.SLD.CU dns_lookup_realm = false dns_lookup_kdc = true default_ccache_name = KEYRING:persistent:%{uid} When I run this command while config my samba: #net rpc rights grant 'DOMINIO\Domain Admins' SeMachineAccountPrivilege \ SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \ SeRemoteShutdownPrivilege -UAdministrator and all work fine. but w...

...ar/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> dns_lookup_realm = false >> ticket_lifetime = 24h >> renew_lifetime = 7d >> forwardable = true >> rdns = false >> # default_realm = EXAMPLE.COM >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> # EXAMPLE.COM = { >> # kdc = kerberos.example.com >> # admin_server = kerberos.example.com >> # } >> >> [domain_realm] >> # .example.com = EXAMPLE.COM >> # example.com = EXAMPLE.COM >>...

...tent krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = DOMAIN.LOCAL default_ccache_name = KEYRING:persistent:%{uid} [realms]# EXAMPLE.COM = {#  kdc = kerberos.example.com#  admin_server = kerberos.example.com# } [domain_realm]# .example.com = EXAMPLE.COM# example.com = EXAMPLE.COM I hope I have passed all the necessary information. If you need any more information, I ask you to let m...

I know, and i have him the "samba" solution, because ... I dont know sssd also. And i dont get the fuss on samba+winbind or samba+sssd I have 3 services running minimal : samba winbind user-homes.automount Everything works as it should. I hope, and i'll add the note here also. NOTE ! My packages are NOT sssd compliant, you need to recompile SSSD yourselfs agains my samba

...heimdal. > Continuing on... > > The heimdal variant of kerberos uses a different parameter name for the > default ccache name property > than what is used by krb5-user. In heimdal the parameter name is > "default_cc_name" and in krb5-user > the parameter name is "default_ccache_name". I was throwing the kitchen sink > at the problem this morning and so, > with krb5-user installed, I decided to try substituting the parameter name > spelling to the heimdal parameter name. > So in the krb5.conf I used "default_cc_name = KEYRING:persistent:%{uid}" > i...

...by varia reasons >> "just a shot in the dark", if you use kerberos tickets in /tmp then >> stuff changed in 18.04 this also broke our cifs automounter >> see here >> https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/ >> i did >> default_ccache_name = FILE:/tmp/krb5cc_%{uid} >> in /etc/krb5.conf >> to fix our problem > > Thanks you very much for your answer! > > I tried to set default_ccache_name in /etc/krb5.conf as you suggest above but "lpr" still asks "Password for [myuser] on localhost?". >...