Description of problem: A new, kernel-keyring based credential cache is being added to libkrb5 and used by default in RHEL 7.0. See BZ #991110 and #991148 for full details on the interface.
Note this bug depends on getting change notification into the kerberos keyring. adding bug 991110 as a dependency. If we don't get that feature we'll have to revert to polling, which is not very nice for power usage and probably unacceptable.
just to post an update here, on the upstream bug I've put a first cut at a patch to fall back to polling. Clearly, though, we still want the kernel notification api and want to use that api when it's available. This is just gives us a safety net if schedules don't end up aligning.
testing will require 1) installing updated krb5-libs / sssd packages that enable the kernel keyring support and change user's logins to use that credential cache type by default. 2) running kinit from the command line and seeing if a transient g-o-a identity shows up in control-center online accounts panel for the kinit'd identity 3) running kdestroy from the command line and seeing if control-center notices 4) adding an identity explicitly through control-center, and running kdestroy to see if the identity state gets updated.
*** Bug 1013697 has been marked as a duplicate of this bug. ***
(In reply to Vladimir Benes from comment #4) > (In reply to Ray Strode [halfline] from comment #3) > > just to post an update here, on the upstream bug I've put a first cut at a > > patch to fall back to polling. Clearly, though, we still want the kernel > > notification api and want to use that api when it's available. This is just > > gives us a safety net if schedules don't end up aligning. > > wanted to provide qack but I am not sure how to test this. Is turning > on/off from g-o-a enough for this? Should getting kerberos ticket via g-o-a > be possible as well? Anything else? Apart from what Ray already said, if your g-o-a doesn't support using the kernel keyring cache, then you will see a crash like this: #0 __strcmp_sse42 at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:235 #1 krb5int_cc_getops at ccbase.c:269 #2 krb5_cc_new_unique at ccbase.c:302 #3 get_new_credentials_cache at goakerberosidentitymanager.c:784 #4 sign_in_identity at goakerberosidentitymanager.c:809 #5 on_job_scheduled at goakerberosidentitymanager.c:1018 #6 io_job_thread at gioscheduler.c:89 #7 g_task_thread_pool_thread at gtask.c:1242 #9 g_thread_proxy at gthread.c:798 #11 clone at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
I built gnome-online-accounts-3.8.4.1-2.el7 which should support kernel keyring based credentials cache: https://brewweb.devel.redhat.com/taskinfo?taskID=6513976
Note we're still waiting on a kernel notification API to do this without polling (as per comment 1)
used steps from: https://bugzilla.redhat.com/show_bug.cgi?id=991184#c5 and everything works as expected
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.