Recently a number of bugs [1-5] have come up regarding the new default Kerberos Ccache location that we changed according to [6]. We originally thought that reusing the same directory used by XDG_USER_DIR was a good idea as systemd/logind would pre-create it for us and we'd all be happy. Unfortunately it turns out there a re a number of cases where the directory is not pre-created for us (sshd, sudo, su) and a number of cases where even if we created it out of systemd/logind supervision we'd risk it being yanked from under the process that is using it as by default systemd/logind uses a refcount system to know when to remove it. I have an idea that can solve the problem relatively easily. Create a small dbus program (reuse oddjob ?) that will be called by libkrb5 to request creation of the credential cache. This would be a small Fedora19 patch to libkrb5, I do not think upstream would like it in this form (more on it later)[*]. The dbus program would simply get the unix cred structure of the calling application via dbus services and unconditionally create /var/kerberos/user/%uidnumber/krbcc[**] directory based exclusively on the uid number of the peer and a system configured template, it would also create a symlink in /run/user/%uidnumber/krbcc for backwards compatibility in Fedora 19 only, and we transition completely to the new dir in F20. Why a new dir ? Because we do not want systemd/logind to yank the directory under us. There are a number of cases where it would be beneficial to keep it around (example a cron job that starts every 10 minutes and uses cached credentials valid for hours to do some task). Simo. [1] https://bugzilla.redhat.com/961235 - Credential cache directory /run/user/0/krb5cc does not exist [2] https://bugzilla.redhat.com/977972 - kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache [3] https://bugzilla.redhat.com/904720 - ipa-adtrust-install fails unexpectedly [4] https://bugzilla.redhat.com/796429 - sssd and kerberos should change the default location for create the Credential Caches to /run/usr/USERNAME/krb5cc [5] https://bugzilla.redhat.com/987792 - KRB5CCNAME is not set in PAM session with GSSAPI SSH auth [6] https://fedoraproject.org/wiki/Features/KRB5CacheMove [*] I asked the MIT Kerberos team a while ago if we can make the cache type pluggable or revive the project to build a KCM (Kerberos Cache Manager) so we could decide to implement the cache manager functionality later, and there is interest. So that would be my long term strategy. [**] I am flexible about where the dir should reside, if we want to keep tmpfs behavior we can put it under /run/kerberos/user -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
