| Summary: | [RFE] Teach GSSD to use DIR:/run/user/$UID for Kerberos DIR caches | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> | ||||||
| Component: | nfs-utils | Assignee: | Steve Dickson <steved> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | bfields, jlayton, nalin, steved | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-09-17 22:33:22 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
|
Description
Stephen Gallagher
2012-06-18 12:07:11 UTC
For the record, this can be tested by using sssd-1.9.0-6.fc18.beta2 or later for krb5 login. That will put the credential cache in the proper place by default. From an IRC conversation today: (02:30:26 PM) sgallagh: steved: At the start of gssd_setup_krb5_user_gss_ccache(), check whether the file /run/user/UID/ccdir/primary exists (02:31:39 PM) sgallagh: Return the dirent for the parent directory (/run/user/UID/ccdir). In gssd_setup_krb5_user_gss_ccache() check whether the path returned from gssd_find_existing_krb5_ccache() is a file or directory. If it's a directory, do the snprintf() with DIR: instead of FILE: (02:31:52 PM) sgallagh: steved: I *think* that's all you will need to do for this to work. (02:32:38 PM) sgallagh: The reason to check for /run/user/UID/ccdir/primary is that all DIR: cache directories must contain a file with this name (it tells libkrb5 where to look). (02:32:54 PM) sgallagh: So that will be enough confirmation that there is a DIR: cache here for gssd to use it. After more discussion, the recommended order is now:
* directories under /run/user/$UID matching the pattern "krb5cc*"
No "_" is expected because the UID is already a separate component in the pathname, and the "_" was typically there to visually separate the UID from the rest of the filename.
* files under /run/user/$UID matching the pattern "krb5cc*"
Same reason as above for not including the "_" in the matching pattern.
* files under /tmp matching the pattern "krb5cc*"
The current default matching prefix ("krb5cc_*") would still work here just as well, but changing it could make the implementation simpler.
Created attachment 604985 [details]
proposed changes for recognizing "DIR" cache types
Created attachment 604986 [details]
proposed changes for parameterizing the search path with %U for IDs
Nalin, Would you mind posting these patches to upstream at linux-nfs.org, tia... Steve, some of the context in these two depends on other patches that are already applied in the package. What's the baseline that versions pitched upstream should be using? Just as important (to me, anyway), do they look correct to you? (In reply to comment #7) > Steve, some of the context in these two depends on other patches that are > already applied in the package. What's the baseline that versions pitched > upstream should be using? The upstream tree is at git://linux-nfs.org/~steved/nfs-utils > Just as important (to me, anyway), do they look > correct to you? I took a quick look at them and they look reasonable. I have not done any testing yet, but as long as gssd can fall back to look in legacy places for the cache, I think we are good... Submitted, though I probably should have elaborated more in the patch comments. nfs-utils-1.2.6-12.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/nfs-utils-1.2.6-12.fc18 Package nfs-utils-1.2.6-12.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nfs-utils-1.2.6-12.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-12618/nfs-utils-1.2.6-12.fc18 then log in and leave karma (feedback). nfs-utils-1.2.6-12.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |