Keytab-based initiator creds design

Simo Sorce simo at redhat.com
Thu Jun 7 17:36:13 EDT 2012 

On Thu, 2012-06-07 at 13:35 -0700, Russ Allbery wrote:
> Simo Sorce <simo at redhat.com> writes:
> > On Thu, 2012-06-07 at 13:18 -0700, Russ Allbery wrote:
> 
> >> Just FYI, our users would consider it a showstopper bug if a shared
> >> cache is used and is destroyed when only one (but not all) of their
> >> sessions ended.  I don't know if you have some way of dealing with that
> >> in your pam_krb5.
> 
> > When sssd is used the default ccache is not destroyed until all user
> > processes are gone.
> 
> Oh, okay.  That works, then, although it would be surprising behavior for
> experienced UNIX Kerberos users who expect to be able to kinit to a
> different credential in one window and not have all their other processes
> affected.

You can simply set KRB5CCNAME to a different name if you need to do
that.

> We used to use shared ticket caches for all sessions when we first
> deployed Kerberos in the mid-1990s and intentionally switched to
> per-session caches in the late 1990s, and our experience was that it
> drastically reduced our support costs and user confusion to have
> per-session caches.  Now admittedly that was in a world where it was
> difficult to maintain the cache after one session ended, and sssd solves a
> big part of the problem with that, but I think you may find some push-back
> on this as it becomes more widely deployed.

Well I am pushing for getting you a ccache at login time, my idea is
that the user shouldn't even know nor care that they have a ccache and
not have to learn to use kinit. Of course admins need to, but I would
expect them to know what they are doing :)

We *could* give per session ccaches however, so if there will be strong
request we can always change things around.

The problem with multiple ccache per sessions are things like NFS or
CIFS. Which ccache should they pick for file access when you have
multiple ones ? How do they find them ?
We are trying to unify all in one ccache so NFS/CIFs with sec=krb5 can
just always assume that one is the canonical cache in the default place.

Nico:
Thinking about ccaches and kernels and stuff I think we may want to
consider replacing $USER with $UID on Unix (or at least have both as
symlinks), it would make a number of things easier to handle, in that if
you use the uid you do not need calls to nsswitch to get access to the
right ccache. nsswitch calls can be a performance bottleneck in some
systems/configurations.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list