On 7/22/19 11:16 AM, Charles Hedrick wrote: > I was surprised to find the methods to do these things aren’t present. Here’s > what I’ve defined:
Some of this is covered in https://k5wiki.kerberos.org/wiki/Projects/Credential_cache_collection_improvements (which unfortunately has not been worked on in quite a while), but not all of it. > The first two have uid arguments because of KCM. Every other cache type > allows you to determine unambiguously what user it’s associated with. By my reading, KEYRING also doesn't generally include the uid in the name. > This oddity of KCM is really irritating. It means you have to do setruid > every time you want to deal with a collection from a daemon, since otherwise > the name is ambiguous. The KCM daemon's namespace is machine-global, not uid-specific, and I don't think doing setruid() would be visible to the daemon anyway (it should see the euid of the client, not the ruid). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
