On 7/26/19 9:09 AM, Charles Hedrick wrote:
> I’ve submitted a feature request to fix the default ccselect plugin so
> it reads /etc/k5identity if the user doesn’t have one or it doesn’t
> apply. Also, you’d need to recognize ${username}. That would let me
> specify a policy for NFS credentials, which could conceivably even
> differ for different file servers. I think that’s the best that can be
> done with the current kernel.A possible pure-userspace solution is to establish a local directory per user in a well-known location, where users (or some agent operating as the user's uid) can copy a ticket cache into in a well-known filename. If rpc.gssd finds a cache there, it could use it in preference to picking from the user's collection. This doesn't give the kind of per-process control you can get from AFS's pagsh, but it does give control to users as opposed to a root-owned file like /etc/k5identity. On machines using systemd, /run/user/uid could be leveraged for this purpose, although that directory will only exist while the user is logged in (so not for cron jobs). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
