I'm having trouble with Kerberos and Ubuntu 20.04.
Im running a FreeIPA Server, but since it works on my Centos machines, I guess it's a client issue.
The big goal is to have a SSO System, for multiple services. Mostly it works as intended, but one thing refuses to work for me:
Getting automount/ autofs to accept my configuration for Kerberos. One major problem is, that autofs cannot read the KRB5CCNAME
environment variable. It always uses the libdefault, which would be fine, if Ubuntu would also do that. However, for some reason, no matter what I try, Ubuntu does not set the KRB5CCNAME env. var. during the sign on part correctly, but always defaults to FILE:/tmp/krb5cc_\<UID>_\<VALUE>
.
I would prefer to use the keyring, so I wrote default_ccache_name = KEYRING:persistent:%{uid}
in the krb5.conf in the libdefaults section. When manually setting the KRB5CCNAME everything is just fine and automount connects to my samba drives.
But letting the system decide, what the variable should contain, always results in FILE:...
My clients krb5.conf looks like this:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
ccache_type = 4
[realms]
EXAMPLE.COM = {
kdc = ipa.example.com:80
master_kdc = ipa.example.com:88
admin_server = ipa.example.com:749
kpasswd_server = ipa.example.com:464
default_domain = example.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.example.com = <EXAMPLE.COM>
example.com = <EXAMPLE.COM>
client.example.com = <EXAMPLE.COM>
The SSSD Config:
[domain/example.com]
debug_level=10
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = EXAMPLE.COM
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_search_base = cn=accounts,dc=example,dc=com
krb5_ccname_template = KEYRING:persistent:%U
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = example.com
debug_level=10
[nss]
override_shell = /bin/bash
[pam]
offline_credentials_expiration = 60
debug_level=10
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_access_filter = (objectClass=posixAccount)
debug_level=10
[ssh]
[sudo]
Any ideas?