On Tue, Jan 31, 2017 at 09:36:59AM +0000, David Woodhouse wrote: > On Tue, 2017-01-31 at 10:24 +0100, Jan Kurik wrote: > > = System Wide Change: Kerberos KCM credential cache by default = > > https://fedoraproject.org/wiki/Changes/KerberosKCMCache > > > > Change owner(s): > > * Jakub Hrozek > > > > > > Default to a new Kerberos credential cache type called KCM which is > > better suited for containerized environments and provides a better > > user experience in the general case as well. > > > > > > == Detailed Description == > > Over time, Fedora used different credential cache types to store > > Kerberos credentials - going from a simple file-based storage (FILE:) > > to a directory (DIR:) and most recently a kernel-keyring based cache > > (KEYRING:). > > > > Each of these caches has its own set of advantages and disadvantages. > > The FILE ccache is very widely supported, but does not allow multiple > > primary caches in a collection. The DIR cache does, but creating and > > managing the directories including proper access control can be > > tricky. The KEYRING cache is not well suited for cases where multiple > > semi-isolated environments might share the same kernel. Managing > > credential caches' life cycle is not well solved in neither of these > > cache types automatically, only with the help of a daemon like SSSD. > > > > The scope of this change is to introduce a new Kerberos credential > > cache type called KCM and switch to using it by default. > > > > With KCM, the Kerberos caches are not stored in a "passive" store, but > > managed by a daemon. In this setup, the Kerberos library (typically > > used through an application, like for example, kinit) is a "KCM > > client" and the daemon is being referred to as a "KCM server". The KCM > > server will be provided as a socket-activated service of the SSSD > > deamon. > > Please ensure this works with winbind. The switch to KEYRING: by > default didn't — pam_winbind was putting creds in /tmp/krb5cc_$UID > still, and then they weren't consistently being found there. > > People are still using winbind, because it provides NTLM single-sign-on > which is unfortunately still required in most Windows/AD networks. I'm not really well-versed with winbind, so honestly I'm not sure what limitation it has wrt Kerberos ccaches. Was this ever reported as a bug against winbind? But please see my other reply to the thread, there is nothing inherently SSSD-specific about this change and nothing that would require you to use the rest of SSSD. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
