Bug 833026

Summary: [RFE] pam_krb5 should change its default credential cache location to DIR:/run/user/UID/ccdir
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: john, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam_krb5-2.4.1-1.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-17 22:01:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 856880    
Bug Blocks:    

Description Stephen Gallagher 2012-06-18 12:11:51 UTC 
Description of problem:
As part of the Fedora 18 Feature https://fedoraproject.org/wiki/Features/KRB5DirCache, pam_krb5 needs to be taught about the new standard location for credential caches.

Beginning with Fedora 18, we will now be storing credential caches in the new DIR format added in MIT Kerberos 1.10. This allows us to store multiple TGTs for different realms simultaneously. Additionally, Fedora has adopted a new standard location of /run/user/UID/ccdir for this storage. This will reduce the need for trolling /tmp for credential caches owned by the user, as it can be assumed that for most situations, the cache location will be well-known[1].

Version-Release number of selected component (if applicable):
pam_krb5-2.3.14-1.fc18

How reproducible:
N/A


Expected results:
When logging in through pam_krb5, the user's TGT should be stored in DIR:/run/user/UID/ccdir instead of the current approach of /tmp/krb5cc_UID_XXXXXX

Additional info:

[1] It is possible for this default location to be changed by an administrator, but we make the assumption that if they do so, they know what they are doing and will deal with other issues that arise from it.
Comment 1 Nalin Dahyabhai 2012-08-14 21:42:11 UTC 
We're going to end up with something based on the pattern DIR:/run/user/$UID/krb5cc_XXXXXX.
Comment 2 Fedora Update System 2012-09-11 03:18:22 UTC 
pam_krb5-2.4.0-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/pam_krb5-2.4.0-1.fc18
Comment 3 Nalin Dahyabhai 2012-09-13 03:05:34 UTC 
Things are complicated by the fact that pam_systemd doesn't create the user's space under /run/user until the calling application calls pam_open_session(), while the plugin can (and usually does) attempt to create a credential cache as early as the pam_authenticate() and pam_setcred() calls which usually precede that.

Making that work as expected has forced the addition of SELinux-aware directory creation logic to pam_krb5, and is going to require additions to policy to allow it to create and adjust permissions on that directory.
Comment 4 Fedora Update System 2012-09-13 16:47:33 UTC 
Package pam_krb5-2.4.1-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_krb5-2.4.1-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-13930/pam_krb5-2.4.1-1.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-09-17 22:01:26 UTC 
pam_krb5-2.4.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.