Fedora ticket cache location

[Russ Allbery]

Nico Williams <nico at cryptonector.com> writes:

> The problem is that if you want NFS/AFS/SMB/... to know how to find and
> use this temporary ccache... how will they do that?  The traditional
> answers have been:

>  - Solaris NFS -> use per-user default; no temp ccaches, sorry
>  - AFS -> set PAG, set tokens
>  - Linux NFS -> use keyrings(?)

I think the only long-term viable way to handle credentials for file
system access is to create some sort of explicit association between the
current process or thread and the desired credentials in the kernel, since
otherwise you have the problem that a user may have multiple credentials
and you have to guess which ones they want to use for any given operation.
And will probably guess wrong.

I don't think it's the place of the Kerberos library to try to solve this
problem, and I don't think a search path is a viable solution to it.  For
any possible search path, I can give you a use case with a granularity of
access that can't be represented by it.  (For one particular degenerate
case, think a threaded Apache server with proxied credentials.)

> I think in general when you say "temporary ccache" you want either a)
> something that NFS/AFS/SMB won't use, or b) a new session so they can
> find your credentials.

Right now, (a) is the most common case, but indeed I think (b) is becoming
more common.  Note that k5start and krenew already have code to create a
new AFS session and tie it to the newly created credentials.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>