Keytab-based initiator creds design
Russ Allbery
rra at stanford.edu
Thu Jun 7 16:35:36 EDT 2012
Simo Sorce <simo at redhat.com> writes:
> On Thu, 2012-06-07 at 13:18 -0700, Russ Allbery wrote:
>> Just FYI, our users would consider it a showstopper bug if a shared
>> cache is used and is destroyed when only one (but not all) of their
>> sessions ended. I don't know if you have some way of dealing with that
>> in your pam_krb5.
> When sssd is used the default ccache is not destroyed until all user
> processes are gone.
Oh, okay. That works, then, although it would be surprising behavior for
experienced UNIX Kerberos users who expect to be able to kinit to a
different credential in one window and not have all their other processes
affected.
We used to use shared ticket caches for all sessions when we first
deployed Kerberos in the mid-1990s and intentionally switched to
per-session caches in the late 1990s, and our experience was that it
drastically reduced our support costs and user confusion to have
per-session caches. Now admittedly that was in a world where it was
difficult to maintain the cache after one session ended, and sssd solves a
big part of the problem with that, but I think you may find some push-back
on this as it becomes more widely deployed.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list