Red Hat Bugzilla – Full Text Bug Listing
|Summary:||RFE: I would like to see sssd become a backend store for Kerberos Credentials.|
|Product:||[Fedora] Fedora||Reporter:||Daniel Walsh <dwalsh>|
|Component:||sssd||Assignee:||Stephen Gallagher <sgallagh>|
|Status:||CLOSED WONTFIX||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||jhrozek, sbose, sgallagh, ssorce|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-08-25 11:02:53 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Daniel Walsh 2010-07-27 10:40:12 EDT
Kerberos has been using /tmp as a file system store for CC files since it was created 25 years ago. There are a couple of bad assumptions about this. Mainly this breaks in a namespace environment where /tmp is different for different processes. It also is putting credential data in a location where multiple process have access with different UIDs. The permissions on the files are controlled by DAC. Every confined application that needs to read the files needs full access to all user_tmp_t, labeling the cc file differently is rather difficult. Applications like gssd would have an easier time finding the credentials if there was a simple call into sssd to ask for the cc content.
Comment 1 Stephen Gallagher 2011-08-25 11:02:53 EDT
We're not going to implement this. Upstream has decided that the support for using the kernel keyring as a credential cache store is sufficient.