krb5 library missing functions for collections

[Greg Hudson]

On 7/26/19 9:09 AM, Charles Hedrick wrote:
> I’ve submitted a feature request to fix the default ccselect plugin so
> it reads /etc/k5identity if the user doesn’t have one or it doesn’t
> apply. Also, you’d need to recognize ${username}. That would let me
> specify a policy for NFS credentials, which could conceivably even
> differ for different file servers. I think that’s the best that can be
> done with the current kernel.

A possible pure-userspace solution is to establish a local directory per
user in a well-known location, where users (or some agent operating as
the user's uid) can copy a ticket cache into in a well-known filename.
If rpc.gssd finds a cache there, it could use it in preference to
picking from the user's collection.  This doesn't give the kind of
per-process control you can get from AFS's pagsh, but it does give
control to users as opposed to a root-owned file like /etc/k5identity.
On machines using systemd, /run/user/uid could be leveraged for this
purpose, although that directory will only exist while the user is
logged in (so not for cron jobs).