interaction between caches, KEYRING, and NFS
Jason L Tibbitts III
tibbs at math.uh.edu
Thu Mar 16 12:26:17 EDT 2017
>>>>> "CH" == Charles Hedrick <hedrick at rutgers.edu> writes:
CH> The KEYRING mechanism is nice, in many ways. But it has some
CH> unexpected effects.
It's always good to mention the actual OS you are using. I know most
modern Linux distros provide the KEYRING CCACHE type which uses the
kernel's keyring facility.
CH> If it’s set to KEYRING:persistent:NNN:XXX, kinit will fail with an
CH> error "kinit: Can't create new subsidiary cache because default
CH> cache is already a subsidiary while generating new ccache.”
I did file a ticket when I ran into this in Fedora ages ago. The Fedora
ticket has since been resolved, but it was cloned into an RHEL ticket
which lives on at https://bugzilla.redhat.com/show_bug.cgi?id=1278017.
CH> Also,
CH> “klist -l” will fail. Actually, it will appear to work, but only
CH> show me the one cache even if there are others.
Works for me in Fedora 25:
ἐπιθυμία:~❯ klist -l
Principal name Cache name
-------------- ----------
tibbs at MATH.UH.EDU KEYRING:persistent:7225:krb_ccache_CLoU6wS
tibbs at FEDORAPROJECT.ORG KEYRING:persistent:7225:krb_ccache_1FSCnNf
CH> The problem with making it primary is that if NFS happens
CH> to check my credentials at that point it will fail. rpc.gssd uses a
CH> GSSAPI interface that only checks the primary credentials.
I think this is heavily OS and version dependent. Might also depend on
gssproxy.
CH> About the best I could come up with is to wrap kinit with a script
CH> that sets KRB5CCNAME to KEYRING:persistent:NNN before doing kinit,
CH> so it always works.
I would suggest just using FILE: so there's no chance of the admin
CCACHE messing with your user credentials.
For the future I have some hope that the plans for SSSD to provide a
CCACHE type will help with a number of issues. I have had very good
experiences with SSSD and its developers and have some confidence that
they'll come up with something useful. This was planned to be a Fedora
26 feature but didn't quite make it in time, but I imagine the code will
come along in time.
https://fedoraproject.org/wiki/Changes/KerberosKCMCache has some info.
- J<
More information about the Kerberos
mailing list