TGT for principals getting destroyed automatically
Russ Allbery
rra at stanford.edu
Fri May 3 11:47:59 EDT 2013
Greg Hudson <ghudson at MIT.EDU> writes:
> Prior to the 1.11 release, there is no config file setting for the
> default credential cache. The only discovery mechanisms are the
> KRB5CCNAME environment variable (which is often set by the login system,
> if pam_krb5 is in use) and the hardcoded default of /tmp/krb5cc_NNNN.
> In the 1.11 release, the default credential cache can be specified in
> the [libdefaults] section of /etc/krb5.conf with the default_ccache_name
> variable. The value is subject to parameter expansion as described here:
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#parameter-expansion
Note that if you're using a Kerberos PAM module, you will probably need to
separately configure its cache location, since most Kerberos PAM modules
don't use the library default. The library default has been
/tmp/krb5cc_NNNN for ages, and that default cache naming doesn't allow for
a separate ticket cache per login session (which is normally the behavior
people want). Therefore, most PAM modules have their own independent
defaults.
For mine, for example:
When pam_setcred() is called to initialize a new ticket cache, the
environment variable KRB5CCNAME is set to the path to that ticket
cache. By default, the cache will be named /tmp/krb5cc_UID_RANDOM
where UID is the user's UID and RANDOM is six randomly-chosen letters.
This can be configured with the ccache and ccache_dir options.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list