#4092 ccache removed by concurrent krb5_child runs
Opened 4 months ago by micpas. Modified 4 months ago

sssd configured with IPA as backend. When two (or more) concurrent ssh logins happen for same account, krb5_child removes ccache file created by another process.

It used to work in CentOS 6.6 (sssd-1.11.6-30.el6.x86_64) but stopped working with CentOS 6.7 (sssd-1.12.4-47.el6.x86_64). It still doesn't work with CentOS 6.10 or 7.7.

How to reproduce:
1) issue two ssh logins at the same time, e.g. from a split terminal which enters keys in two windows
2) enter password and hit enter
3) two sessions are opened, one session has proper ccache, the other doesn't

Good session after login:

$ klist 
Ticket cache: FILE:/tmp/krb5cc_790600003_d0kWvL
Default principal: u1@A.B.C

Valid starting     Expires            Service principal
10/02/19 22:53:59  10/03/19 22:53:58  krbtgt/A.B.C@A.B.C

Bad session after login:

$ klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_790600003_9p4noH)

The ccache got removed from filesystem.


can you add debug_level=9 to the [domain\....] section of sssd.conf, restart SSSD, run the login test again and attach the SSSD logs to the ticket?

There is a serialization of the login attempts of the same user and SSSD saves the name of the credential cache to prevent this issue. The logs should tell why the first one is not used anymore.


Login to comment on this ticket.