Keytab-based initiator creds design
Simo Sorce
simo at redhat.com
Thu Jun 7 16:21:12 EDT 2012
On Thu, 2012-06-07 at 15:59 -0400, Greg Hudson wrote:
> On 06/07/2012 02:56 PM, Simo Sorce wrote:
> >>
> >> - /{var, run}/krb5/user/$USER/keytab
> >> - /{var, run}/krb5/user/$USER/ccache
> >> - /{var, run}/krb5/user/$USER/default_principal
>
> How would this work on Windows?
>
> > So I think I like this proposal, it aligns well with what we are already
> > trying to do there.
> >
> > The /run location should be /run/user/$USER/krb5/ccache though as that
> > is where the various pam modules put stuff
>
> I'm confused. If we're going to make an effort to align with where
> Fedora happens to puts the default per-user ccache, how is that better
> than just using the default ccache? It seems to negate the "no
> surprise" benefit.
Well daemons do not typically log in, so they have no ccache, for real
users, I am not sure it would be a suprise it might, but I think daemons
that run under root or a real user ID really SHOULD set the KRB5CCNAME
env var always, it is just wrong not to do that.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list