[SSSD-users] Re: KCM credential forwarding behavior broken?

On Tue, Jun 4, 2019 at 1:25 AM Winberg Adam Adam.Winberg@smhi.se wrote:

Sounds like the same issue I had, i created a bugzilla ticket for it: https://bugzilla.redhat.com/show_bug.cgi?id=1712875

Thanks; I piled on.

For us KCM does not bring anything extra to the table as it does not manage ticket renewals yet, so we switched back to kernel keyring for kerberos tickets.

Sites who use Kerberos authentication to access both Windows SMB shares and NFS mounts care about this, because KCM avoids the problem of cifs.upcall creating root's kernel persistent keyring with the wrong SELinux context and thus breaking rpc.gssd's ability to subsequently access the credential cache.