Re: F27 System Wide Change: Kerberos KCM credential cache by default
Hey,
On Tue, Jun 20, 2017 at 07:42:27AM +0200, Jan Kurik wrote:
= System Wide Change: Kerberos KCM credential cache by default =
https://fedoraproject.org/wiki/Changes/KerberosKCMCache
Change owner(s):
* Jakub Hrozek <jhrozek AT redhat DOT com>
Default to a new Kerberos credential cache type called KCM which is
better suited for containerized environments and provides a better
user experience in the general case as well.
[...]
== Scope ==
* Proposal owners:
SSSD developers will implement a KCM server. The deamon along with a
krb5.conf snippet will be packaged in a subpackage called `sssd-krb5`.
The interested variants of Fedora that would wish to opt in would add
the `sssd-krb5` subpackage to their compose.
* Other developers:
None required
Based on my past conversations with the Identity Management folks, I
think we want this in Workstation. So we also need to support KCM
caches in gnome-online-accounts for the GNOME integration. The
upstream bug is https://bugzilla.gnome.org/show_bug.cgi?id=779140
Maybe we should also track it in Fedora?
(One problem with the existing KEYRING caches is the lack of a
notification API. The Kerberos integration in GNOME through
gnome-online-accounts ends up having to poll the kernel's keyring
every few seconds to find out about the state of credentials.
In contrast, KCM is supposed to use D-Bus signals for notification,
and in the past one could use inotify watches with FILE and DIR
caches.)
Cheers,
Rishi