This bug is created as a clone of upstream ticket:
Now that krb5 1.14 has been released, krb5 inclused a client and cache type based on talking to a KCC daemon over a unix socket.
SSSD could be enhanced with a KCC daemon component and store ccaches there instead of dealing with the kernel keyring which poses some issues in some use cases (conatiners as keyrings are not namespaced and non-linux OSs where the keyring is not available).
The additional beniefit of controlling ccaches is that a FILE ccache could be optionally generated for applications that needed (some Java applications do not understand anything but FILE ccaches).
Remoting ccaches and ccahe privilege separation are also possibilities, although that crosses over with the gss-proxy daemon too, so some discussion needs to happen there.
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Verified this RFE on SSSD Version: sssd-1.15.2-37.el7.x86_64
Test cases were prepared and sent for review to DEV team. Here is the link for KCM test cases:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.