Dear fellow developers, with the upcoming Fedora 18 release (currently Rawhide) we are going to change the place where krb5 credential cache files are saved by default. The new default for credential caches will be the /run/user/<username> directory. The reason is to make credential saving a bit more predictable while at the same time avoiding races. Along the road we also gain a little bit more security by the fact that /run is a tmpfs and therefore cached credentials are automatically removed if the machine is shut off. We have opened bugs to change the default location in libkrb5 https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils https://bugzilla.redhat.com/show_bug.cgi?id=786993 Normal users should not experience issues once these components are fixed, however because the /run/user/<username> directory is created by PAM it means this directory is not normally created for daemons that may run as a system user. One such case is mod_auth_kerb that recently gained the ability to kinit with an HTTP/ keytab in order to support the s4u2proxy feature. For daemons that use a keytab to kinit because they act as clients (as opposed to just server that accept kerberos connections), it may be needed to add a configuration snipppet in their configuration file under /etc/tmpfiles.d so that /run/user/<username> is created with the correct permissions (700) and user ownership. For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf: d /var/run/user/apache 700 apache apache If you know your daemon requires a credential cache file and does not specify one on its own but instead relies on the default location, then you should open a ticket in bugzilla and add the necessary configuration to tmpfiles.d If you have any questions feel free to contact any of the people in CC. -- Stephen Gallagher * Red Hat, Inc * Massachusetts
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
