Bug 618689

Summary: RFE: I would like to see sssd become a backend store for Kerberos Credentials.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-25 11:02:53 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Daniel Walsh 2010-07-27 10:40:12 EDT
Kerberos has been using /tmp as a file system store for CC files since it was created 25 years ago.  There are a couple of bad assumptions about this.  Mainly this breaks in a namespace environment where /tmp is different for different processes.  It also is putting credential data in a location where multiple process have access with different UIDs.  The permissions on the files are controlled by DAC.  Every confined application that needs to read the files needs full access to all user_tmp_t,  labeling the cc file differently is rather difficult.  Applications like gssd would have an easier time finding the credentials if there was a simple call into sssd to ask for the cc content.
Comment 1 Stephen Gallagher 2011-08-25 11:02:53 EDT
We're not going to implement this. Upstream has decided that the support for using the kernel keyring as a credential cache store is sufficient.