Re: F26 System Wide Change: Kerberos KCM credential cache by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2017-01-31 at 10:24 +0100, Jan Kurik wrote:
> = System Wide Change: Kerberos KCM credential cache by default =
> https://fedoraproject.org/wiki/Changes/KerberosKCMCache
> 
> Change owner(s):
> * Jakub Hrozek 
> 
> 
> Default to a new Kerberos credential cache type called KCM which is
> better suited for containerized environments and provides a better
> user experience in the general case as well.
> 
> 
> == Detailed Description ==
> Over time, Fedora used different credential cache types to store
> Kerberos credentials - going from a simple file-based storage (FILE:)
> to a directory (DIR:) and most recently a kernel-keyring based cache
> (KEYRING:).
> 
> Each of these caches has its own set of advantages and disadvantages.
> The FILE ccache is very widely supported, but does not allow multiple
> primary caches in a collection. The DIR cache does, but creating and
> managing the directories including proper access control can be
> tricky. The KEYRING cache is not well suited for cases where multiple
> semi-isolated environments might share the same kernel. Managing
> credential caches' life cycle is not well solved in neither of these
> cache types automatically, only with the help of a daemon like SSSD.
> 
> The scope of this change is to introduce a new Kerberos credential
> cache type called KCM and switch to using it by default.
> 
> With KCM, the Kerberos caches are not stored in a "passive" store, but
> managed by a daemon. In this setup, the Kerberos library (typically
> used through an application, like for example, kinit) is a "KCM
> client" and the daemon is being referred to as a "KCM server". The KCM
> server will be provided as a socket-activated service of the SSSD
> deamon.

Please ensure this works with winbind. The switch to KEYRING: by
default didn't — pam_winbind was putting creds in /tmp/krb5cc_$UID
still, and then they weren't consistently being found there.

People are still using winbind, because it provides NTLM single-sign-on 
which is unfortunately still required in most Windows/AD networks.

<<attachment: smime.p7s>>

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux