Red Hat Bugzilla – Bug 832566
[RFE] GNOME online accounts should be able to enroll Kerberos services
Last modified: 2012-06-20 13:19:00 EDT
Description of problem:
Starting with Kerberos 1.10 (available in Fedora 17 and later), Kerberos now has the ability to store TGTs for multiple KDCs in a single cache (called a DIR cache). The benefit of this is that a user can now have single-sign-on between multiple Kerberos realms simultaneously.
GNOME should implement a user interface for users to configure one or more such Kerberos realms. The online accounts tool seems like the appropriate place to me.
Version-Release number of selected component (if applicable):
Starting with Fedora 18, Fedora's default Kerberos credential cache location will be moved to a known, secure, user-private location (KRB5CCNAME=DIR:/run/user/<UID>/ccdir). See https://fedoraproject.org/wiki/Features/KRB5CacheMove for details. GNOME should do the following:
1. If the KRB5CCNAME variable is present in the environment and starts with DIR:, use that location for the cache
2. If the KRB5CCNAME variable is not present in the environment or does NOT start with DIR:, disable this feature from Online Accounts (multiple TGTs cannot work with non-DIR caches), and if the environment variable isn't set, other applications in the environment won't be able to pick up changes made by the Online Accounts dialog.
The KRB5CCNAME variable is set in the user's session by SSSD or pam_krb5 if they are in use. If they are not, it may be prudent for GNOME/Freedesktop or perhaps pam_systemd to provide a session module to set this value to DIR:/run/user/<UID>/ccdir by default (if it has not been set in the environment already; pam_krb5 and SSSD set it during the auth phase, by necessity), if we want local users to be able to have this capability.
See gnome bug 671156. Let's track this upstream.