help with persistent ccache

Ben H bhendin at gmail.com
Wed Jun 24 16:10:05 EDT 2015 

I'm trying to understand how the newer KEYRING:persistent cache is working
in relation to interactive and GSSAPI SSO.

Using Centos 6.4 and 7.1.

My 7.x box is using the default configuration of:
default_ccache_name = KEYRING:persistent:%{uid}


Please take a look at the below session.  What we see is that when
performing an interactive login (no tickets) from centos64 to centos71, a
persistent cache is seemingly not created (or at least not found).
However, if I initialize a ticket via kinit for my user and then SSH using
GSSAPI it appears to have initialized the persistent cache.
Obviously this is problematic because it means the first interactive login
to a 7.x box fails to create a cache and thus can't get a ticket for future
SSO operations.
It appears that if I manually kinit following the first login the
persistent cache is created.

Why is not cached initialized on interactive login and an additional manual
kinit is required?

thanks!

[root at centos64-01 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root at centos64-01 ~]# ssh sppuser at centos71-01.spptech.com
Password:
Last login: Wed Jun 24 14:59:06 2015 from centos64-01.spptech.com
[sppuser at centos71-01 ~]$ klist
klist: Credentials cache keyring 'persistent:402243354:402243354' not found
[sppuser at centos71-01 ~]$ exit
logout
Connection to centos71-01.spptech.com closed.

[root at centos64-01 ~]# kinit sppuser
Password for sppuser at SPPTECH.COM:
[root at centos64-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sppuser at SPPTECH.COM

Valid starting     Expires            Service principal
06/24/15 14:59:34  06/25/15 00:59:37  krbtgt/SPPTECH.COM at SPPTECH.COM
        renew until 07/01/15 14:59:34
[root at centos64-01 ~]# ssh sppuser at centos71-01.spptech.com
Last login: Wed Jun 24 14:59:21 2015 from centos64-01.spptech.com
[sppuser at centos71-01 ~]$ klist
Ticket cache: KEYRING:persistent:402243354:402243354
Default principal: sppuser at SPPTECH.COM

Valid starting       Expires              Service principal
06/24/2015 14:59:49  06/25/2015 00:59:37  krbtgt/SPPTECH.COM at SPPTECH.COM
        renew until 07/01/2015 14:59:34

More information about the Kerberos mailing list