Default libkrb5 ccache location

Simo Sorce simo at
Fri Jul 26 14:48:17 UTC 2013

Recently a number of bugs [1-5] have come up regarding the new default
Kerberos Ccache location that we changed according to [6].

We originally thought that reusing the same directory used by
XDG_USER_DIR was a good idea as systemd/logind would pre-create it for
us and we'd all be happy.

Unfortunately it turns out there a re a number of cases where the
directory is not pre-created for us (sshd, sudo, su) and a number of
cases where even if we created it out of systemd/logind supervision we'd
risk it being yanked from under the process that is using it as by
default systemd/logind uses a refcount system to know when to remove it.

I have an idea that can solve the problem relatively easily.
Create a small dbus program (reuse oddjob ?) that will be called by
libkrb5 to request creation of the credential cache. This would be a
small Fedora19 patch to libkrb5, I do not think upstream would like it
in this form (more on it later)[*].

The dbus program would simply get the unix cred structure of the calling
application via dbus services and unconditionally
create /var/kerberos/user/%uidnumber/krbcc[**] directory based
exclusively on the uid number of the peer and a system configured
template, it would also create a symlink in /run/user/%uidnumber/krbcc
for backwards compatibility in Fedora 19 only, and we transition
completely to the new dir in F20.

Why a new dir ? Because we do not want systemd/logind to yank the
directory under us. There are a number of cases where it would be
beneficial to keep it around (example a cron job that starts every 10
minutes and uses cached credentials valid for hours to do some task).


[1] - Credential cache
directory /run/user/0/krb5cc does not exist
[2] - kinit: Credential cache
directory /run/user/0/krb5cc does not exist while getting default ccache
[3] -  ipa-adtrust-install fails
[4] - sssd and kerberos should change
the default location for create the Credential Caches
to /run/usr/USERNAME/krb5cc
[5] - KRB5CCNAME is not set in PAM
session with GSSAPI SSH auth

[*] I asked the MIT Kerberos team a while ago if we can make the cache
type pluggable or revive the project to build a KCM (Kerberos Cache
Manager) so we could decide to implement the cache manager functionality
later, and there is interest. So that would be my long term strategy.

[**] I am flexible about where the dir should reside, if we want to keep
tmpfs behavior we can put it under /run/kerberos/user

Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list