Learn more about these different git repos.
Other Git URLs
Recently a thread was started on fedora-devel with the goal of designing a solution to address some of the edge cases of having the Kerberos ccache reside in /run.
/run
The tl;dr version is that the SSSD might not need to create the ccache directory itself, but rely on a helper inside libkrb5 to do so.
In order to keep up with this change, the SSSD should: 1. Add a configure time switch/check to see if the particular platform has the helper already. If it has the helper, don't mkdir the ccache directory. If the helper is not present, keep creating the directory as we do now. 2. Change the default ccache to be in the newly proposed directory (be it /var/kerberos/user or /run/kerberos/user). This might be just a Fedora/RHEL patch because the upstream still uses FILE-based ccache.
Fields changed
type: defect => task
milestone: NEEDS_TRIAGE => SSSD 1.10.2 rhbz: => 0
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=991185 (Red Hat Enterprise Linux 7)
rhbz: 0 => [https://bugzilla.redhat.com/show_bug.cgi?id=991185 991185]
As development has proceeded, we have come up with a new approach for dealing with this issue. We have enhanced the Linux kernel keyring to support "persistent" keyring caches that we can use. This will avoid the potential race-condition issues surrounding DIR cache creation and login timing, as well as enhancing security.
A set of patches for SSSD to consume this new keyring have been sent to the sssd-devel mailing list.
patch: 0 => 1 summary: Convert to the new Kerberos ccache location => Convert to the new Kerberos KEYRING ccache
owner: somebody => sgallagh
resolution: => fixed status: new => closed
Metadata Update from @jhrozek: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.10.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3078
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.