Bug 833026 - [RFE] pam_krb5 should change its default credential cache location to DIR:/run/user/UID/ccdir
Summary: [RFE] pam_krb5 should change its default credential cache location to DIR:/ru...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: rawhide
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 856880
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-18 12:11 UTC by Stephen Gallagher
Modified: 2012-09-17 22:01 UTC (History)
2 users (show)

Fixed In Version: pam_krb5-2.4.1-1.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-17 22:01:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Stephen Gallagher 2012-06-18 12:11:51 UTC 
Description of problem:
As part of the Fedora 18 Feature https://fedoraproject.org/wiki/Features/KRB5DirCache, pam_krb5 needs to be taught about the new standard location for credential caches.

Beginning with Fedora 18, we will now be storing credential caches in the new DIR format added in MIT Kerberos 1.10. This allows us to store multiple TGTs for different realms simultaneously. Additionally, Fedora has adopted a new standard location of /run/user/UID/ccdir for this storage. This will reduce the need for trolling /tmp for credential caches owned by the user, as it can be assumed that for most situations, the cache location will be well-known[1].

Version-Release number of selected component (if applicable):
pam_krb5-2.3.14-1.fc18

How reproducible:
N/A


Expected results:
When logging in through pam_krb5, the user's TGT should be stored in DIR:/run/user/UID/ccdir instead of the current approach of /tmp/krb5cc_UID_XXXXXX

Additional info:

[1] It is possible for this default location to be changed by an administrator, but we make the assumption that if they do so, they know what they are doing and will deal with other issues that arise from it.
Comment 1 Nalin Dahyabhai 2012-08-14 21:42:11 UTC 
We're going to end up with something based on the pattern DIR:/run/user/$UID/krb5cc_XXXXXX.
Comment 2 Fedora Update System 2012-09-11 03:18:22 UTC 
pam_krb5-2.4.0-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/pam_krb5-2.4.0-1.fc18
Comment 3 Nalin Dahyabhai 2012-09-13 03:05:34 UTC 
Things are complicated by the fact that pam_systemd doesn't create the user's space under /run/user until the calling application calls pam_open_session(), while the plugin can (and usually does) attempt to create a credential cache as early as the pam_authenticate() and pam_setcred() calls which usually precede that.

Making that work as expected has forced the addition of SELinux-aware directory creation logic to pam_krb5, and is going to require additions to policy to allow it to create and adjust permissions on that directory.
Comment 4 Fedora Update System 2012-09-13 16:47:33 UTC 
Package pam_krb5-2.4.1-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_krb5-2.4.1-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-13930/pam_krb5-2.4.1-1.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-09-17 22:01:26 UTC 
pam_krb5-2.4.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.