Bug 618689 - RFE: I would like to see sssd become a backend store for Kerberos Credentials.
RFE: I would like to see sssd become a backend store for Kerberos Credentials.
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2010-07-27 10:40 EDT by Daniel Walsh
Modified: 2011-08-25 11:02 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-08-25 11:02:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2010-07-27 10:40:12 EDT
Kerberos has been using /tmp as a file system store for CC files since it was created 25 years ago.  There are a couple of bad assumptions about this.  Mainly this breaks in a namespace environment where /tmp is different for different processes.  It also is putting credential data in a location where multiple process have access with different UIDs.  The permissions on the files are controlled by DAC.  Every confined application that needs to read the files needs full access to all user_tmp_t,  labeling the cc file differently is rather difficult.  Applications like gssd would have an easier time finding the credentials if there was a simple call into sssd to ask for the cc content.
Comment 1 Stephen Gallagher 2011-08-25 11:02:53 EDT
We're not going to implement this. Upstream has decided that the support for using the kernel keyring as a credential cache store is sufficient.

Note You need to log in before you can comment on or make changes to this bug.