>>>>> "CH" == Charles Hedrick <hedr...@rutgers.edu> writes:
CH> The KEYRING mechanism is nice, in many ways. But it has some CH> unexpected effects. It's always good to mention the actual OS you are using. I know most modern Linux distros provide the KEYRING CCACHE type which uses the kernel's keyring facility. CH> If it’s set to KEYRING:persistent:NNN:XXX, kinit will fail with an CH> error "kinit: Can't create new subsidiary cache because default CH> cache is already a subsidiary while generating new ccache.” I did file a ticket when I ran into this in Fedora ages ago. The Fedora ticket has since been resolved, but it was cloned into an RHEL ticket which lives on at https://bugzilla.redhat.com/show_bug.cgi?id=1278017. CH> Also, CH> “klist -l” will fail. Actually, it will appear to work, but only CH> show me the one cache even if there are others. Works for me in Fedora 25: ἐπιθυμία:~❯ klist -l Principal name Cache name -------------- ---------- ti...@math.uh.edu KEYRING:persistent:7225:krb_ccache_CLoU6wS ti...@fedoraproject.org KEYRING:persistent:7225:krb_ccache_1FSCnNf CH> The problem with making it primary is that if NFS happens CH> to check my credentials at that point it will fail. rpc.gssd uses a CH> GSSAPI interface that only checks the primary credentials. I think this is heavily OS and version dependent. Might also depend on gssproxy. CH> About the best I could come up with is to wrap kinit with a script CH> that sets KRB5CCNAME to KEYRING:persistent:NNN before doing kinit, CH> so it always works. I would suggest just using FILE: so there's no chance of the admin CCACHE messing with your user credentials. For the future I have some hope that the plans for SSSD to provide a CCACHE type will help with a number of issues. I have had very good experiences with SSSD and its developers and have some confidence that they'll come up with something useful. This was planned to be a Fedora 26 feature but didn't quite make it in time, but I imagine the code will come along in time. https://fedoraproject.org/wiki/Changes/KerberosKCMCache has some info. - J< ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
