Bug 832566 - [RFE] GNOME online accounts should be able to enroll Kerberos services
[RFE] GNOME online accounts should be able to enroll Kerberos services
Product: Fedora
Classification: Fedora
Component: gnome-online-accounts (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Bastien Nocera
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-06-15 14:35 EDT by Stephen Gallagher
Modified: 2012-06-20 13:19 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 13:19:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Bugzilla 671156 None None None 2012-06-20 13:19:00 EDT

  None (edit)
Description Stephen Gallagher 2012-06-15 14:35:57 EDT
Description of problem:
Starting with Kerberos 1.10 (available in Fedora 17 and later), Kerberos now has the ability to store TGTs for multiple KDCs in a single cache (called a DIR cache). The benefit of this is that a user can now have single-sign-on between multiple Kerberos realms simultaneously.

GNOME should implement a user interface for users to configure one or more such Kerberos realms. The online accounts tool seems like the appropriate place to me.

Version-Release number of selected component (if applicable):

How reproducible:

Additional info:


Starting with Fedora 18, Fedora's default Kerberos credential cache location will be moved to a known, secure, user-private location (KRB5CCNAME=DIR:/run/user/<UID>/ccdir). See https://fedoraproject.org/wiki/Features/KRB5CacheMove for details. GNOME should do the following:

1. If the KRB5CCNAME variable is present in the environment and starts with DIR:, use that location for the cache

2. If the KRB5CCNAME variable is not present in the environment or does NOT start with DIR:, disable this feature from Online Accounts (multiple TGTs cannot work with non-DIR caches), and if the environment variable isn't set, other applications in the environment won't be able to pick up changes made by the Online Accounts dialog.

The KRB5CCNAME variable is set in the user's session by SSSD or pam_krb5 if they are in use. If they are not, it may be prudent for GNOME/Freedesktop or perhaps pam_systemd to provide a session module to set this value to DIR:/run/user/<UID>/ccdir by default (if it has not been set in the environment already; pam_krb5 and SSSD set it during the auth phase, by necessity), if we want local users to be able to have this capability.
Comment 1 Ray Strode [halfline] 2012-06-20 13:19:00 EDT
See gnome bug 671156.  Let's track this upstream.

Note You need to log in before you can comment on or make changes to this bug.