Bug 618689 - RFE: I would like to see sssd become a backend store for Kerberos Credentials.
Summary: RFE: I would like to see sssd become a backend store for Kerberos Credentials.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-27 14:40 UTC by Daniel Walsh
Modified: 2011-08-25 15:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-25 15:02:53 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Daniel Walsh 2010-07-27 14:40:12 UTC
Kerberos has been using /tmp as a file system store for CC files since it was created 25 years ago.  There are a couple of bad assumptions about this.  Mainly this breaks in a namespace environment where /tmp is different for different processes.  It also is putting credential data in a location where multiple process have access with different UIDs.  The permissions on the files are controlled by DAC.  Every confined application that needs to read the files needs full access to all user_tmp_t,  labeling the cc file differently is rather difficult.  Applications like gssd would have an easier time finding the credentials if there was a simple call into sssd to ask for the cc content.

Comment 1 Stephen Gallagher 2011-08-25 15:02:53 UTC
We're not going to implement this. Upstream has decided that the support for using the kernel keyring as a credential cache store is sufficient.


Note You need to log in before you can comment on or make changes to this bug.