On Tue, Jul 25, 2017 at 11:20:21AM +0000, Ondrej Valousek wrote:
Out of interest:
What is the difference between KCM and the gssproxy service?
So I don't know much about gssproxy to be honest, but if I understand it
correctly, gssproxy provides access to Kerberos key material like keytabs
to services like NFS's gssproxy.
KCM is a storage for credentials that you acquire from KDC, for example
during kinit or during a PAM password login. Normally, on RHEL-6, the
credentials are stored in a flat file, on RHEL-7 in the kernel keyring. KCM
is another storage, which is backed by a deamon.
The upside of using the deamon is that it's stateful so it can do things like
renewals regardless of whether the ticket comes through SSSD or kinit. The
deamon can also provide notifications to desktop and runs in userspace,
so it's better suited for containers (More details can be found in the
design page hopefully)
The downside is of course more complexity and therefore more things that
can go wrong especially compared to a flat and dumb file..