Headsup! krb5 ccache defaults are changing in Rawhide
Stephen Gallagher
sgallagh at redhat.com
Thu Feb 23 19:28:26 UTC 2012
Dear fellow developers,
with the upcoming Fedora 18 release (currently Rawhide) we are going to
change the place where krb5 credential cache files are saved by default.
The new default for credential caches will be the /run/user/<username>
directory.
The reason is to make credential saving a bit more predictable while at
the same time avoiding races. Along the road we also gain a little bit
more security by the fact that /run is a tmpfs and therefore cached
credentials are automatically removed if the machine is shut off.
We have opened bugs to change the default location in libkrb5
https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd
https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils
https://bugzilla.redhat.com/show_bug.cgi?id=786993
Normal users should not experience issues once these components are
fixed, however because the /run/user/<username> directory is created by
PAM it means this directory is not normally created for daemons that may
run as a system user.
One such case is mod_auth_kerb that recently gained the ability to kinit
with an HTTP/ keytab in order to support the s4u2proxy feature.
For daemons that use a keytab to kinit because they act as clients (as
opposed to just server that accept kerberos connections), it may be
needed to add a configuration snipppet in their configuration file
under /etc/tmpfiles.d so that /run/user/<username> is created with the
correct permissions (700) and user ownership.
For example, httpd would add the following line to
the /etc/tmpfiles.d/httpd.conf:
d /var/run/user/apache 700 apache apache
If you know your daemon requires a credential cache file and does not
specify one on its own but instead relies on the default location, then
you should open a ticket in bugzilla and add the necessary configuration
to tmpfiles.d
If you have any questions feel free to contact any of the people in CC.
--
Stephen Gallagher * Red Hat, Inc * Massachusetts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120223/57841b56/attachment.sig>
More information about the devel
mailing list