If it turns out the only the mentioned Kerberos related tasks require root privileges I would suggest to add those to the krb5_child and call it during the init process. Since the krb5_child is already install with SUID bit it can do the tasks even if the provider itself already runs as unprivileged user.

If I remember correctly, the Kerberos provider had to check the ccaches of all users who had a saved ccache in the sysdb and add them for renewal. I'm not sure checking the ccache check can be done w/o root privileges.

Moving this check to krb5_child would be a possibility, but then we'd have to come up with a 'protocol' that would transfer the ccaches to check from the child to the back end so that the back end can watch for renewal times and start the renewal task before the ticket times out.

Fields changed

milestone: NEEDS_TRIAGE => SSSD Deferred

Fields changed

rhbz: => 0

We don't really need this I think, we solved the separation of privileges better in the providers themselves.

review: 0 => 1
sensitive: => 0

Fields changed

resolution: => wontfix
status: new => closed

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3546

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.