I'm using Apache with GSS-Proxy and the following systemd httpd.service.d/
httpd-gssproxy.conf drop-in, enabling transfer of the HTTP service principal
without Apache having direct access to the HTTP service keytab:
[Service]
Environment=KRB5CCNAME=/run/httpd/clientcaches/krb5cc-httpd
Environment=GSS_USE_PROXY=yes
I also have a number Apache Location directives as follows:
<Location>
...
GssapiDelegCcacheDir /run/httpd/clientcaches
GssapiDelegCcacheUnique On
...
</Location>
This is all working wonderfully and credentials are set as
/run/httpd/clientcaches/user(a)EXAMPLE.COM-Q1pBaI
Reviewing the documentation I know I'll need to cleanup these unique ccaches,
however all the unique ccaches are encrypted like the following
# klist -c user(a)EXAMPLE.COM-Q1pBaI
Ticket cache: FILE:user@EXAMPLE.COM-Q1pBaI
Default principal: user(a)EXAMPLE.COM
Valid starting Expires Service principal
12/31/1969 18:00:00 12/31/1969 18:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
The sweeper.py in the mod_auth_gssapi source doesn't seem to be able to handle
this, thinking that each ccache is already expired.
Can you offer other suggestions for cleaning these out based on their actual
expiry? Thank you. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
