Red Hat Bugzilla – Bug 618689
RFE: I would like to see sssd become a backend store for Kerberos Credentials.
Last modified: 2011-08-25 11:02:53 EDT
Kerberos has been using /tmp as a file system store for CC files since it was created 25 years ago. There are a couple of bad assumptions about this. Mainly this breaks in a namespace environment where /tmp is different for different processes. It also is putting credential data in a location where multiple process have access with different UIDs. The permissions on the files are controlled by DAC. Every confined application that needs to read the files needs full access to all user_tmp_t, labeling the cc file differently is rather difficult. Applications like gssd would have an easier time finding the credentials if there was a simple call into sssd to ask for the cc content.
We're not going to implement this. Upstream has decided that the support for using the kernel keyring as a credential cache store is sufficient.