Thank you for the tip! I gave it a try and it works! I commented out krb5_ccachedir and krb5_ccname_template from sssd.conf. Updated default_ccache_name in krb5.conf to use KCM: Enabled the sssd-kcm service Restarted sssd service and voila! rocky8client.domain.net Ticket cache: KCM:2000:16626 Default principal: jdoe@xxxxxxxxxx Valid starting Expires Service principal 06/12/2024 22:06:43 06/13/2024 22:06:43 krbtgt/DOMAIN.NET@xxxxxxxxxx renew until 06/12/2024 22:06:43 rocky9client.domain.net Ticket cache: KCM:2000:38480 Default principal: jdoe@xxxxxxxxxx Valid starting Expires Service principal 06/12/24 22:06:43 06/13/24 22:06:43 krbtgt/DOMAIN.NET@xxxxxxxxxx renew until 06/12/24 22:06:43 Your password will expire in 23 hours. rocky9server.domain.net Ticket cache: KCM:2000:82289 Default principal: jdoe@xxxxxxxxxx Valid starting Expires Service principal 06/13/24 02:06:44 06/14/24 02:06:44 krbtgt/DOMAIN.NET@xxxxxxxxxx renew until 06/13/24 02:06:44 rocky8server.domain.net Ticket cache: KCM:2000:29965 Default principal: jdoe@xxxxxxxxxx Valid starting Expires Service principal 06/13/24 02:06:45 06/14/24 02:06:45 krbtgt/DOMAIN.NET@xxxxxxxxxx renew until 06/13/24 02:06:45 All vms rocky8/9 save the cache in memory. And the nice thing is with sssd-kcm is that it survives a reboot, so thats cool. Thank you for the support! Best, Dave On Jun 12, 2024 at 8:31 PM -0400, Douglas E Engert <deengert@xxxxxxxxx>, wrote: > I have not looked at Kerberos is years. But it looks like KRB5CCNAME comes from: > https://github.com/openssh/openssh-portable/blob/master/gss-serv-krb5.c#L134-L197 > But it depends on which version of Kerberos you have, and if you are also use PAM. > > Google for: heimdal kerberos cache name > It looks like there is now a SSSD Kerberos Cache Manager rather then storing in individual file. > > On 6/11/2024 7:21 PM, Dave Macias wrote: > > Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below: > > > > > for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done > > > > rocky8client.domain.net <http://rocky8client.domain.net> > > Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa > > Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx> > > > > Valid starting Expires Service principal > > 06/11/2024 17:58:09 06/12/2024 17:58:09 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx> > > renew until 06/11/2024 17:58:09 > > > > rocky9client.domain.net <http://rocky9client.domain.net> > > Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5 > > Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx> > > > > Valid starting Expires Service principal > > 06/11/24 17:58:10 06/12/24 17:58:10 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx> > > renew until 06/11/24 17:58:10 > > Your password will expire in 23 hours. > > > > rocky9server.domain.net <http://rocker9server.domain.net> > > Ticket cache: FILE:/home/jdoe/.krb5cc_2000 > > Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx> > > > > Valid starting Expires Service principal > > 06/11/24 21:58:11 06/12/24 21:58:11 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx> > > renew until 06/11/24 21:58:11 > > > > rocky8server.domain.net <http://rocker8server.domain.net> > > Ticket cache: FILE:/home/jdoe/.krb5cc_2000 > > Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx> > > > > Valid starting Expires Service principal > > 06/11/24 21:58:12 06/12/24 21:58:12 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx> > > renew until 06/11/24 21:58:12 > > On Jun 11, 2024 at 5:05 PM -0400, Dave Macias <davama@xxxxxxxxx>, wrote: > > > Thank you both for the replies and explanation! > > > > > > @douglas > > > > > > Can i set KRB5CCNAME somewhere so that it uses /home? Where? > > > > > > But even if i could set the env variable i have this odd behavior: > > > > > > I now have 4 vms running. > > > 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post. > > > > > > From the 4 vms, when I ssh into them, 2 of them set a cache file in the users home and the other two save it in /tmp. > > > I cant seem to understand why my other two vms do not want to setup the cache in the /home. > > > > > > The only difference i can think of is that the two vms that do use /home, are the actual kdc/ldap servers. The two “bad” vms are clients, only running sssd/sshd. > > > > > > Upon ssh login to each of the 4 vms, a KRB5CCNAME=FILE:/bla environment variable is set; which will be /tmp or /home, depending on the vm. > > > > > > Someone requested a trace, so ill post that tomorrow, hopefully it will be helpful. > > > > > > Appreciate very much you all’s input! > > > > > > Best, > > > Dave > > > On Jun 11, 2024 at 2:00 PM -0400, Douglas E Engert <deengert@xxxxxxxxx>, wrote: > > > > > > > > > > > > On 6/6/2024 8:26 AM, Dave Macias wrote: > > > > > *I wanted to see if I could make the cache file user-specific, instead of > > > > > the default location (/tmp/krb5cc-blabla).* > > > > SSH is creating a separate ticket cache file for each login session and owned by the user. > > > > This has been the preferred way to do this for decades. > > > > https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd > > > > > > > > Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name. > > > > If you share the ticket cache between multiple login sessions, when the first session ends, > > > > the "GSSAPICleanupCredentials yes" will cause the shared ticket cache to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart. /tmp is also a local file system. /home may be on > > > > a network disk which has other issues. > > > > > openssh-unix-dev mailing list > > > > > openssh-unix-dev@xxxxxxxxxxx > > > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > -- > > > > > > > > Douglas E. Engert <DEEngert@xxxxxxxxx> > > > > > > > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > > > openssh-unix-dev@xxxxxxxxxxx > > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > > Douglas E. Engert <DEEngert@xxxxxxxxx> > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
