Red Hat Bugzilla – Full Text Bug Listing
|Summary:||[RFE] pam_krb5 should change its default credential cache location to DIR:/run/user/UID/ccdir|
|Product:||[Fedora] Fedora||Reporter:||Stephen Gallagher <sgallagh>|
|Component:||pam_krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||pam_krb5-2.4.1-1.fc18||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-09-17 18:01:26 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||856880|
Description Stephen Gallagher 2012-06-18 08:11:51 EDT
Description of problem: As part of the Fedora 18 Feature https://fedoraproject.org/wiki/Features/KRB5DirCache, pam_krb5 needs to be taught about the new standard location for credential caches. Beginning with Fedora 18, we will now be storing credential caches in the new DIR format added in MIT Kerberos 1.10. This allows us to store multiple TGTs for different realms simultaneously. Additionally, Fedora has adopted a new standard location of /run/user/UID/ccdir for this storage. This will reduce the need for trolling /tmp for credential caches owned by the user, as it can be assumed that for most situations, the cache location will be well-known. Version-Release number of selected component (if applicable): pam_krb5-2.3.14-1.fc18 How reproducible: N/A Expected results: When logging in through pam_krb5, the user's TGT should be stored in DIR:/run/user/UID/ccdir instead of the current approach of /tmp/krb5cc_UID_XXXXXX Additional info:  It is possible for this default location to be changed by an administrator, but we make the assumption that if they do so, they know what they are doing and will deal with other issues that arise from it.
Comment 1 Nalin Dahyabhai 2012-08-14 17:42:11 EDT
We're going to end up with something based on the pattern DIR:/run/user/$UID/krb5cc_XXXXXX.
Comment 2 Fedora Update System 2012-09-10 23:18:22 EDT
pam_krb5-2.4.0-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/pam_krb5-2.4.0-1.fc18
Comment 3 Nalin Dahyabhai 2012-09-12 23:05:34 EDT
Things are complicated by the fact that pam_systemd doesn't create the user's space under /run/user until the calling application calls pam_open_session(), while the plugin can (and usually does) attempt to create a credential cache as early as the pam_authenticate() and pam_setcred() calls which usually precede that. Making that work as expected has forced the addition of SELinux-aware directory creation logic to pam_krb5, and is going to require additions to policy to allow it to create and adjust permissions on that directory.
Comment 4 Fedora Update System 2012-09-13 12:47:33 EDT
Package pam_krb5-2.4.1-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pam_krb5-2.4.1-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-13930/pam_krb5-2.4.1-1.fc18 then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-09-17 18:01:26 EDT
pam_krb5-2.4.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.