Headsup! krb5 ccache defaults are changing in Rawhide
Stephen Gallagher
sgallagh at redhat.com
Fri Feb 24 02:43:02 UTC 2012
On Thu, 2012-02-23 at 14:28 -0500, Stephen Gallagher wrote:
> Dear fellow developers,
>
> with the upcoming Fedora 18 release (currently Rawhide) we are going to
> change the place where krb5 credential cache files are saved by default.
>
> The new default for credential caches will be the /run/user/<username>
> directory.
>
> The reason is to make credential saving a bit more predictable while at
> the same time avoiding races. Along the road we also gain a little bit
> more security by the fact that /run is a tmpfs and therefore cached
> credentials are automatically removed if the machine is shut off.
>
> We have opened bugs to change the default location in libkrb5
> https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd
> https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils
> https://bugzilla.redhat.com/show_bug.cgi?id=786993
>
> Normal users should not experience issues once these components are
> fixed, however because the /run/user/<username> directory is created by
> PAM it means this directory is not normally created for daemons that may
> run as a system user.
>
> One such case is mod_auth_kerb that recently gained the ability to kinit
> with an HTTP/ keytab in order to support the s4u2proxy feature.
>
> For daemons that use a keytab to kinit because they act as clients (as
> opposed to just server that accept kerberos connections), it may be
> needed to add a configuration snipppet in their configuration file
> under /etc/tmpfiles.d so that /run/user/<username> is created with the
> correct permissions (700) and user ownership.
>
> For example, httpd would add the following line to
> the /etc/tmpfiles.d/httpd.conf:
>
> d /var/run/user/apache 700 apache apache
>
> If you know your daemon requires a credential cache file and does not
> specify one on its own but instead relies on the default location, then
> you should open a ticket in bugzilla and add the necessary configuration
> to tmpfiles.d
>
> If you have any questions feel free to contact any of the people in CC.
Replying to myself, I've started a Feature Page here:
http://fedoraproject.org/wiki/Features/KRB5CacheMove
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120223/d1b34b00/attachment.sig>
More information about the devel
mailing list