krb5 library missing functions for collections
Greg Hudson
ghudson at mit.edu
Mon Jul 22 13:00:48 EDT 2019
On 7/22/19 11:16 AM, Charles Hedrick wrote:
> I was surprised to find the methods to do these things aren’t present. Here’s what I’ve defined:
Some of this is covered in
https://k5wiki.kerberos.org/wiki/Projects/Credential_cache_collection_improvements
(which unfortunately has not been worked on in quite a while), but not
all of it.
> The first two have uid arguments because of KCM. Every other cache type allows you to determine unambiguously what user it’s associated with.
By my reading, KEYRING also doesn't generally include the uid in the name.
> This oddity of KCM is really irritating. It means you have to do setruid every time you want to deal with a collection from a daemon, since otherwise the name is ambiguous.
The KCM daemon's namespace is machine-global, not uid-specific, and I
don't think doing setruid() would be visible to the daemon anyway (it
should see the euid of the client, not the ruid).
More information about the Kerberos
mailing list