Greg Hudson <ghud...@mit.edu> writes: > On 7/22/19 1:39 PM, Charles Hedrick wrote: > >> Please be aware that I’m using Redhat’s KCM implementation in >> sssd. It’s supposed to be compatible with Heimdal’s, but based on >> documentation it appears that it may not be. >> >> The default value of KRB5CCNAME is simply KCM: It had better be >> user-specific, or everybody shares a collection. > > The Heimdal KCM implements a single global collection with access > control on individual caches, with the euid and egid of the client as > the access keys. If a client doesn't have access to a cache, it isn't > visible in the collection as presented to that client. Clients can > only create ccaches with names beginning with their "<euid>:" prefix. > > In practice, users other than root will typically see disjoint > collections, where each cache name begins with the client's euid. But > that's not a fundamental property of the daemon, and therefore not an > assumption of either the MIT krb5 or Heimdal client code. > > One could conceivably build this namespace assumption into the client, > retrofitting it to treat "KCM:uid" as a collection by filtering out > caches whose names don't begin with the uid prefix. Unfortunately > that wouldn't be 100% backward-compatible, as the Heimdal kcm daemon > allows clients to create individual caches named with only the euid > (with no ":" afterwards). Perhaps that's not important, though. > > The sssd KCM may have different semantics from Heimdal's. If it doesn't > let root see caches owned by other uids, then that would also have to be > changed to allow "KCM:uid" to work for root.
(CCing Jakub in case I miss anything here.) To my reading, SSSD's KCM deliberately allows root to access all ccaches but not list them. See https://github.com/SSSD/sssd/blob/master/src/responder/kcm/kcmsrv_ccache.h#L75-L80 and https://github.com/SSSD/sssd/blob/master/src/responder/kcm/kcmsrv_ccache.h#L144-L156 Thanks, --Robbie
signature.asc
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
