On Tue, 13 Dec 2016 12:51:02 +0200
Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote:
> On ti, 13 joulu 2016, Dan Horák wrote:
> >On Tue, 13 Dec 2016 12:29:57 +0200
> >Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote:
> >
> >> On ti, 13 joulu 2016, Daniel P. Berrange wrote:
> >> >On Tue, Dec 13, 2016 at 12:19:45PM +0200, Alexander Bokovoy wrote:
> >> >> On ti, 13 joulu 2016, Alexander Bokovoy wrote:
> >> >> > On ti, 13 joulu 2016, Vít Ondruch wrote:
> >> >> > >
> >> >> > >
> >> >> > > Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
> >> >> > > > On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> >> >> > > > > So several questions:
> >> >> > > > >
> >> >> > > > > 1) When I have 2 domains I login to with kerberos, how
> >> >> > > > > to really make it work. I don't want to kswitch all the
> >> >> > > > > time. I am using Kerberos to authenticate my email
> >> >> > > > > client, so I want to keep it working all the time.
> >> >> > > > >
> >> >> > > > There are patches still coming that will switch the fedora
> >> >> > > > packaging tools to use GSSAPI rather than Kerberos
> >> >> > > > directly, which will handle auto-selecting the right TGT.
> >> >> > > > I'm not sure what the status is on this, but Patrick
> >> >> > > > Uiterwijk (CCed) was looking into it.
> >> >> > >
> >> >> > > I am probably missing something, but if I am not mistaken,
> >> >> > > the primary ticket depends on order of my kinit calls and I
> >> >> > > am using several apps which needs kerberos authentication,
> >> >> > > so I can hardly see how fedora packaging tools changes can
> >> >> > > solve the major issue, i.e. if I do kinit
> >> >> > > vondruch@xxxxxxxxxxxxxxxxx, this ticket becomes the
> >> >> > > primary ...
> >> >> > The story is always more complex than it seems.
> >> >> >
> >> >> > There is Kerberos protocol. There is also GSSAPI interface
> >> >> > that allows to wrap Kerberos use under a more general security
> >> >> > exchange means. While Kerberos tools can deal with multiple
> >> >> > credential caches in the collection only by addressing the
> >> >> > currently selected credentials cache, GSSAPI-aware
> >> >> > applications enjoy ability to chose which credentials cache
> >> >> > from the collection to use based on the realm of the target
> >> >> > service.
> >> >> >
> >> >> > Koji with a patch to use python-gssapi will have ability to
> >> >> > choose the credentials cache automatically based on the realm
> >> >> > of the target service, regardless of what credentials cache is
> >> >> > active right now in the collection. The version in Fedora
> >> >> > right now (1.11.0-1.fc25) is not yet built with the patch to
> >> >> > use python-gssapi.
> >> >> A small correction: koji 1.11.0-1.fc25 does use
> >> >> python-requests-kerberos which uses python-kerberos which is
> >> >> using GSSAPI C library. I verified that koji in Fedora 25 does
> >> >> work with credentials cache collections and properly chooses
> >> >> the credentials cache which is not the one currently active.
> >> >>
> >> >> However, default Fedora 25 configuration[1] does not set the
> >> >> default ccache name to a collection, only FreeIPA client
> >> >> installer does this.
> >> >>
> >> >> As result, if you have no
> >> >>
> >> >> [libdefaults]
> >> >> default_ccache_name = KEYRING:persistent:%{uid}
> >> >>
> >> >> in your krb5.conf, you are using the defaults compiled into
> >> >> libkrb5 which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a
> >> >> credentials cache _collection_ and cannot store multiple
> >> >> credentials from multiple realms.
> >> >>
> >> >> So, if you'd change default_ccache_name to a KEYRING:..-based
> >> >> version and re-logon, you'll be able to maintain multiple
> >> >> credentials caches at the same time.
> >> >>
> >> >> [1]
> >> >> http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25
> >> >
> >> >Actually that's not quite right - if you look at krb5.spec you'll
> >> >see it then munges that krb5.conf to add
> >> >
> >> > default_ccache_name = KEYRING:persistent:%{uid}
> >> >
> >> >so all F25 installs should get that by default - all of my fresh
> >> >installs do.
> >> Mea culpa. Thanks for the correction. So, for fresh F25 installs
> >> this should be working fine -- at least with koji.
> >
> >does anybody know if the krb5-auth-dialog tool [1] works with the
> >credentials cache?
> >
> >[1] https://honk.sigxcpu.org/piki/projects/krb5-auth-dialog/
> This is an incorrect question -- everything that supports Kerberos
> works with the credentials caches. I guess you were asking whether
> krb5-auth-dialog does use GSSAPI to choose correct credential cache
> out of a _collection_? The answer is no, it does not use GSSAPI so it
> cannot automatically choose the correct credential cache out of a
> collection.
>
> krb5-auth-dialog directly uses krb5 API, not GSSAPI, so your only
> choice with it is to use 'kswitch' utility to explicitly switch
> credential cache prior to use of the krb5-auth-dialog.
thanks for the explanation
Dan
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
