Default libkrb5 ccache location
simo at redhat.com
Fri Jul 26 14:48:17 UTC 2013
Recently a number of bugs [1-5] have come up regarding the new default
Kerberos Ccache location that we changed according to .
We originally thought that reusing the same directory used by
XDG_USER_DIR was a good idea as systemd/logind would pre-create it for
us and we'd all be happy.
Unfortunately it turns out there a re a number of cases where the
directory is not pre-created for us (sshd, sudo, su) and a number of
cases where even if we created it out of systemd/logind supervision we'd
risk it being yanked from under the process that is using it as by
default systemd/logind uses a refcount system to know when to remove it.
I have an idea that can solve the problem relatively easily.
Create a small dbus program (reuse oddjob ?) that will be called by
libkrb5 to request creation of the credential cache. This would be a
small Fedora19 patch to libkrb5, I do not think upstream would like it
in this form (more on it later)[*].
The dbus program would simply get the unix cred structure of the calling
application via dbus services and unconditionally
create /var/kerberos/user/%uidnumber/krbcc[**] directory based
exclusively on the uid number of the peer and a system configured
template, it would also create a symlink in /run/user/%uidnumber/krbcc
for backwards compatibility in Fedora 19 only, and we transition
completely to the new dir in F20.
Why a new dir ? Because we do not want systemd/logind to yank the
directory under us. There are a number of cases where it would be
beneficial to keep it around (example a cron job that starts every 10
minutes and uses cached credentials valid for hours to do some task).
 https://bugzilla.redhat.com/961235 - Credential cache
directory /run/user/0/krb5cc does not exist
 https://bugzilla.redhat.com/977972 - kinit: Credential cache
directory /run/user/0/krb5cc does not exist while getting default ccache
 https://bugzilla.redhat.com/904720 - ipa-adtrust-install fails
 https://bugzilla.redhat.com/796429 - sssd and kerberos should change
the default location for create the Credential Caches
 https://bugzilla.redhat.com/987792 - KRB5CCNAME is not set in PAM
session with GSSAPI SSH auth
[*] I asked the MIT Kerberos team a while ago if we can make the cache
type pluggable or revive the project to build a KCM (Kerberos Cache
Manager) so we could decide to implement the cache manager functionality
later, and there is interest. So that would be my long term strategy.
[**] I am flexible about where the dir should reside, if we want to keep
tmpfs behavior we can put it under /run/kerberos/user
Simo Sorce * Red Hat, Inc * New York
More information about the devel