Hey, Speaking as someone who understands a little bit of all the pieces involved here, but without claiming to be an expert in anything ... I would expect Flatpak containers to consume Kerberos in roughly the same way as Toolbox [1] containers do. First, the host must be configured to use KCM credential caches [2]. That's been the case since Fedora 27. The container should similarly be configured to use KCM. Then you bind mount the KCM socket into the container, and things (eg., klist, kinit, other libkrb5 consumers, etc.) should work. On Fedora, you can see the path to the socket with: $ systemctl show --value --property Listen sssd-kcm.socket There's also libkrb5 API to do the same. The socket usually lives at /var/run/.heim_org.h5l.kcm-socket Now, since this is Flatpak, we may eventually want to have a desktop portal to gate access to the socket instead of giving the application blanket access. I vaguely recall these old mockups from pre-Flatpak days, but they very likely need to be revisited: https://wiki.gnome.org/Design/Whiteboards/EnterpriseLogin I hope that makes sense. Cheers, Rishi [1] https://github.com/debarshiray/toolbox [2] https://fedoraproject.org/wiki/Changes/KerberosKCMCache _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
