On Tue, Jan 31, 2017 at 02:49:41PM +0100, Florian Weimer wrote:
On 01/31/2017 02:38 PM, Jakub Hrozek wrote:
> On Tue, Jan 31, 2017 at 02:36:12PM +0100, Florian Weimer wrote:
> > On 01/31/2017 10:36 AM, David Woodhouse wrote:
> > > Please ensure this works with winbind. The switch to KEYRING: by
> > > default didn't — pam_winbind was putting creds in /tmp/krb5cc_$UID
> > > still, and then they weren't consistently being found there.
> >
> > OpenJDK could be affected by this as well.
>
> Does OpenJDK work with KERING now or only handles FILE?
Hmm. I assumed it handled KEYRING:, but both jdk8 and jdk9 only seem to
implement FILE:. So this change shouldn't result in a regression.
Right, thanks for checking.
The use-case you are describing is also something we would like to
tackle with KCM, although we haven't started implementing this piece yet
at all -- we would like to make it possible, either via a new UNIX
socket exposed by KCM or via some other shim layer to format a FILE:
ccache with a particular principal to some location so that we can use a
modern collection-aware credential cache, but keep using software like
JDK that only handles FILE..