Bug 1396012 - [RFE] KCM ccache daemon in SSSD
Summary: [RFE] KCM ccache daemon in SSSD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Amith
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: 1399979 1405326
TreeView+ depends on / blocked
 
Reported: 2016-11-17 09:06 UTC by Jakub Hrozek
Modified: 2017-08-01 09:00 UTC (History)
9 users (show)

Fixed In Version: sssd-1.15.2-3.el7
Doc Type: Enhancement
Doc Text:
New Kerberos credential cache type: KCM This update adds a new SSSD service named *kcm*. The service is included in the _sssd-kcm_ subpackage. When the *kcm* service is installed, you can configure the Kerberos library to use a new credential cache type named `KCM`. When the KCM credential cache type is configured, the *sssd-kcm* service manages the credentials. The KCM credential cache type is well-suited for containerized environments: * With KCM, you can share credential caches between containers on demand, based on mounting the UNIX socket on which the *kcm* service listens. * The *kcm* service runs in user space outside the kernel, unlike the KEYRING credential cache type that RHEL uses by default. With KCM, you can run the *kcm* service only in selected containers. With KEYRING, all containers share the credential caches because they share the kernel. Additionally, the KCM credential cache type supports cache collections, unlike the FILE ccache type. For details, see the sssd-kcm(8) man page.
Clone Of:
Environment:
Last Closed: 2017-08-01 09:00:03 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:2294 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Jakub Hrozek 2016-11-17 09:06:58 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2887

Now that krb5 1.14 has been released, krb5 inclused a client and cache type based on talking to a KCC daemon over a unix socket.
SSSD could be enhanced with a KCC daemon component and store ccaches there instead of dealing with the kernel keyring which poses some issues in some use cases (conatiners as keyrings are not namespaced and non-linux OSs where the keyring is not available).
The additional beniefit of controlling ccaches is that a FILE ccache could be optionally generated for applications that needed (some Java applications do not understand anything but FILE ccaches).
Remoting ccaches and ccahe privilege separation are also possibilities, although that crosses over with the gss-proxy daemon too, so some discussion needs to happen there.

Comment 1 Jakub Hrozek 2017-03-27 08:13:10 UTC
master:
e89ba95737202d551db2c9524127e6c4cf308796
2b5518eeaacc6245cfa77ee4a7086f16208060fc
35c9dfe9ba78d3a635cd1af0fb6349ba44344623
cac0db2f8004ae88b9263dc3888a11a2d3d3d114
c9db8b8b19827c3d492b8d2769aa77a37dbc12d3
60612b5fbdaaa62ebe6c7f4c27200316f08506d6
73ce539aa70f43ccd5302b3ef8a02ff028558b12
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1
0700118d8388c38b8cb28279510b206b76a3a411
ba89271f594e5ed381b4dcb876a2d2787cf51902
1ec4198f38d34a1f82a2db55d8c9782a434fb55f
70fe6e2bb398b8669ad1aebeaf0abcbffc307475
bea0dc79faf609de8603cb42f190adae544bc8fb
9dcdbf596e138df3eec202487549a67cd3b0091b
b9c563c29243291f40489bb0dcbf3946fca72d58
1dbf09404e20b6e30a24afe72b6d349734aee62f
5f7f45a64bdb9353f15b945db4ad2564b4b28ab2
4f511a4c5f0084e22ce4c7613f1b279533c68cc5
c194e8d7cad0184d710d9979e9f12d5cfe176f4a
24889dc5e7eb7bc992ab0fa05edfdfa1d157131a
3a4a88259ba90d3dc45c1adbbfd39bd7c0204a12

Comment 8 Martin Kosek 2017-05-26 09:40:03 UTC
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Comment 9 Amith 2017-06-01 04:06:33 UTC
Verified this RFE on SSSD Version: sssd-1.15.2-37.el7.x86_64

Test cases were prepared and sent for review to DEV team. Here is the link for KCM test cases:
https://docs.google.com/a/redhat.com/document/d/1Td-JBuiqE1o-KntLnFsnSdCdWG6nH5ARPhDxJFJ6RBc/edit?usp=sharing

Related bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1441764
https://bugzilla.redhat.com/show_bug.cgi?id=1456968
https://bugzilla.redhat.com/show_bug.cgi?id=1456835

Comment 10 errata-xmlrpc 2017-08-01 09:00:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294


Note You need to log in before you can comment on or make changes to this bug.