interaction between caches, KEYRING, and NFS

Jason L Tibbitts III tibbs at math.uh.edu
Thu Mar 16 12:26:17 EDT 2017


>>>>> "CH" == Charles Hedrick <hedrick at rutgers.edu> writes:

CH> The KEYRING mechanism is nice, in many ways. But it has some
CH> unexpected effects.

It's always good to mention the actual OS you are using.  I know most
modern Linux distros provide the KEYRING CCACHE type which uses the
kernel's keyring facility.

CH> If it’s set to KEYRING:persistent:NNN:XXX, kinit will fail with an
CH> error "kinit: Can't create new subsidiary cache because default
CH> cache is already a subsidiary while generating new ccache.”

I did file a ticket when I ran into this in Fedora ages ago.  The Fedora
ticket has since been resolved, but it was cloned into an RHEL ticket
which lives on at https://bugzilla.redhat.com/show_bug.cgi?id=1278017.

CH> Also,
CH> “klist -l” will fail. Actually, it will appear to work, but only
CH> show me the one cache even if there are others.

Works for me in Fedora 25:

ἐπιθυμία:~❯ klist -l
Principal name                 Cache name
--------------                 ----------
tibbs at MATH.UH.EDU              KEYRING:persistent:7225:krb_ccache_CLoU6wS
tibbs at FEDORAPROJECT.ORG        KEYRING:persistent:7225:krb_ccache_1FSCnNf

CH> The problem with making it primary is that if NFS happens
CH> to check my credentials at that point it will fail. rpc.gssd uses a
CH> GSSAPI interface that only checks the primary credentials.

I think this is heavily OS and version dependent.  Might also depend on
gssproxy.

CH> About the best I could come up with is to wrap kinit with a script
CH> that sets KRB5CCNAME to KEYRING:persistent:NNN before doing kinit,
CH> so it always works.

I would suggest just using FILE: so there's no chance of the admin
CCACHE messing with your user credentials.

For the future I have some hope that the plans for SSSD to provide a
CCACHE type will help with a number of issues.  I have had very good
experiences with SSSD and its developers and have some confidence that
they'll come up with something useful.  This was planned to be a Fedora
26 feature but didn't quite make it in time, but I imagine the code will
come along in time.
https://fedoraproject.org/wiki/Changes/KerberosKCMCache has some info.

 - J<



More information about the Kerberos mailing list