On Thu, 2012-02-23 at 14:28 -0500, Stephen Gallagher wrote: > Dear fellow developers, > > with the upcoming Fedora 18 release (currently Rawhide) we are going to > change the place where krb5 credential cache files are saved by default. > > The new default for credential caches will be the /run/user/<username> > directory. > > The reason is to make credential saving a bit more predictable while at > the same time avoiding races. Along the road we also gain a little bit > more security by the fact that /run is a tmpfs and therefore cached > credentials are automatically removed if the machine is shut off. > > We have opened bugs to change the default location in libkrb5 > https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd > https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils > https://bugzilla.redhat.com/show_bug.cgi?id=786993 > > Normal users should not experience issues once these components are > fixed, however because the /run/user/<username> directory is created by > PAM it means this directory is not normally created for daemons that may > run as a system user. > > One such case is mod_auth_kerb that recently gained the ability to kinit > with an HTTP/ keytab in order to support the s4u2proxy feature. > > For daemons that use a keytab to kinit because they act as clients (as > opposed to just server that accept kerberos connections), it may be > needed to add a configuration snipppet in their configuration file > under /etc/tmpfiles.d so that /run/user/<username> is created with the > correct permissions (700) and user ownership. > > For example, httpd would add the following line to > the /etc/tmpfiles.d/httpd.conf: > > d /var/run/user/apache 700 apache apache > > If you know your daemon requires a credential cache file and does not > specify one on its own but instead relies on the default location, then > you should open a ticket in bugzilla and add the necessary configuration > to tmpfiles.d > > If you have any questions feel free to contact any of the people in CC. Replying to myself, I've started a Feature Page here: http://fedoraproject.org/wiki/Features/KRB5CacheMove
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
