RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1396012 - [RFE] KCM ccache daemon in SSSD
Summary: [RFE] KCM ccache daemon in SSSD
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Amith
Aneta Šteflová Petrová
Depends On:
Blocks: 1399979 1405326
TreeView+ depends on / blocked
Reported: 2016-11-17 09:06 UTC by Jakub Hrozek
Modified: 2020-05-02 18:14 UTC (History)
9 users (show)

Fixed In Version: sssd-1.15.2-3.el7
Doc Type: Enhancement
Doc Text:
New Kerberos credential cache type: KCM This update adds a new SSSD service named *kcm*. The service is included in the _sssd-kcm_ subpackage. When the *kcm* service is installed, you can configure the Kerberos library to use a new credential cache type named `KCM`. When the KCM credential cache type is configured, the *sssd-kcm* service manages the credentials. The KCM credential cache type is well-suited for containerized environments: * With KCM, you can share credential caches between containers on demand, based on mounting the UNIX socket on which the *kcm* service listens. * The *kcm* service runs in user space outside the kernel, unlike the KEYRING credential cache type that RHEL uses by default. With KCM, you can run the *kcm* service only in selected containers. With KEYRING, all containers share the credential caches because they share the kernel. Additionally, the KCM credential cache type supports cache collections, unlike the FILE ccache type. For details, see the sssd-kcm(8) man page.
Clone Of:
Last Closed: 2017-08-01 09:00:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3928 0 None closed [RFE] KCM ccache daemon in SSSD 2021-02-03 19:29:54 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Jakub Hrozek 2016-11-17 09:06:58 UTC
This bug is created as a clone of upstream ticket:

Now that krb5 1.14 has been released, krb5 inclused a client and cache type based on talking to a KCC daemon over a unix socket.
SSSD could be enhanced with a KCC daemon component and store ccaches there instead of dealing with the kernel keyring which poses some issues in some use cases (conatiners as keyrings are not namespaced and non-linux OSs where the keyring is not available).
The additional beniefit of controlling ccaches is that a FILE ccache could be optionally generated for applications that needed (some Java applications do not understand anything but FILE ccaches).
Remoting ccaches and ccahe privilege separation are also possibilities, although that crosses over with the gss-proxy daemon too, so some discussion needs to happen there.

Comment 1 Jakub Hrozek 2017-03-27 08:13:10 UTC

Comment 8 Martin Kosek 2017-05-26 09:40:03 UTC
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Comment 9 Amith 2017-06-01 04:06:33 UTC
Verified this RFE on SSSD Version: sssd-1.15.2-37.el7.x86_64

Test cases were prepared and sent for review to DEV team. Here is the link for KCM test cases:

Related bugs:

Comment 10 errata-xmlrpc 2017-08-01 09:00:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.