NFSv4 / Kerberos credentials for Machine account

Hi@all,

I have adapted NFS4 for Kerberos on a UCS5 as described here in the forum.

This also works so far. The client (Ubuntu 20.04 / LM 20.3) dynamically includes its /home/%(DOMAIN_USER) during login using PAM_MOUNT. On the desktop I get the message that the Kerberos ticket is valid.

If I follow the log file of the client during the login, I see the entry there for every login:

Feb 10 09:09:45 pc001 krb5_child[1563]: No credentials cache found (filename: /tmp/krb5cc_1686801128_Vi8AWm)

Where “1686801128” is the ID of the user who logs in.

Does anyone have a tip for me as to what the problem is? The message is not UCS5-specific. I also had it under UCS 4.4.x.

with best
sven

Maybe just ignore the message as you previously reported that it is working for you?

The message might be completely normal as modern Linux kernels provide an in-kernel credential store called keyring: Some Kerberos implementations prefer that as it is more secure compared to the old schema of using a file in a word-writable directory like /tmp/. If - for example - sssd setups the modern keyring in kernel memory but you call some program expecting the old file in /tmp/, it might print such a message. During login you have some complicated mixture of PAM, sssd, LDAP, Kerberos and other tools interacting with each other. If they use different standards, that might produce that message.

PS: The message is from /usr/libexec/sssd/krb5_child. According to man:sssd.conf(5) you can add debug_level=6 to your [domain] section and monitor /var/log/sssd/krb5_child.log afterwards for more details.

Mastodon