Broken Enterprise Login (Kerberos) accounts in GOA/keyring

Solution Verified - Updated -

Issue

  • We have sssd with auth_provider=krb5 and id_provider=ldap.
  • When a fresh user logs in through gdm for the first time they receive a kerberos ticket.
  • Gnome Online Accounts (probably reacting to the ticket) creates into itself an Enterprise Login (Kerberos) account.
  • It looks something like this in .config/goa-1.0/accounts.conf file:
[Account account_1440134465]
Provider=kerberos
Identity=username@domainname.com
PresentationIdentity=domainname.com
Realm=domainname.com
SessionId=3163fcfdba662fcd1c18b8bc55d6b53e
IsTemporary=true
TicketingEnabled=true
  • In addition, Passwords and Keys receives an entry that looks like an error.
  • It is named like "GOA kerberos credentials for identity account_1440134465", and is a saved password that reads "@a{sv} {}".
  • These two never seem to get removed and new ones are created every time that the user logs in.
  • After a while Passwords and Keys is littered with useless entries that make it hard to find the useful ones and so is accounts.conf, although at least the extra ones are hidden from the Online Accounts interface.

  • The problem seems to go away if after the first login I change the created GOA account to read IsTemporary=false.

  • New accounts or keys are then not created on subsequent logins.

  • Is there some way I can keep this littering from happening in the first place?

Environment

  • Red Hat Enterprise Linux 7
  • gnome-online-accounts

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In