b9c563c KCM: Initial responder build and packaging

Authored and Committed by jhrozek 2 years ago
    KCM: Initial responder build and packaging
    Adds the initial build of the Kerberos Cache Manager responder (KCM).
    This is a deamon that is capable of holding and storing Kerberos
    ccaches. When KCM is used, the kerberos libraries (invoked through e.g.
    kinit) are referred to as a 'client' and the KCM deamon is referred to
    as 'server'.
    At the moment, only the Heimdal implementation of Kerberos implements the
    KCM server:
    This patch adds a KCM server to SSSD.
    In MIT, only the 'client-side' support was added:
    This page also describes the protocol between the client and the server.
    The client is capable of talking to the server over either UNIX sockets
    (Linux, most Unixes) or Mach RPC (macOS). Our server only implements the
    UNIX sockets way and should be socket-activated by systemd, although can
    in theory be also ran explicitly.
    The KCM server only builds if the configuration option "--with-kcm" is
    enabled. It is packaged in a new subpackage sssd-kcm in order to allow
    distributions to enable the KCM credential caches by installing this
    subpackage only, without the rest of the SSSD. The sssd-kcm subpackage
    also includes a krb5.conf.d snippet that allows the admin to just uncomment
    the KCM defaults and instructs them to start the socket.
    The server can be configured in sssd.conf in the "[kcm]" section.
    By default, the server only listens on the same socket path the Heimdal
    server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is,
    however, configurable.
    The file src/responder/kcm/kcm.h is more or less directly imported from
    the MIT Kerberos tree, with an additional sentinel code and some
    comments. Not all KCM operations are implemented, only those that also
    the MIT client implements. That said, this KCM server should also be
    usable with a Heimdal client, although no special testing was with this
    The patch also adds several error codes that will be used in later
    Related to:
    Reviewed-by: Michal Židek <mzidek@redhat.com>
    Reviewed-by: Simo Sorce <simo@redhat.com>
file modified
+53 -0
file modified
+9 -1
file modified
+41 -0
file modified
+16 -0
file modified
+3 -0
file modified
+19 -0
file modified
+2 -4
file modified
+5 -0
file modified
+5 -0