[38573] in Kerberos
Re: krb5 library missing functions for collections
daemon@ATHENA.MIT.EDU (Charles Hedrick)
Mon Jul 22 13:39:20 2019
From: Charles Hedrick <hedrick@rutgers.edu>
To: Greg Hudson <ghudson@mit.edu>
Date: Mon, 22 Jul 2019 17:39:03 +0000
Message-ID: <E8EAED76-061A-4290-B109-538BBBA9A5BE@rutgers.edu>
In-Reply-To: <9f9094e8-4e89-f9f9-e902-4f144a54b97f@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Please be aware that I’m using Redhat’s KCM implementation in sssd. It’s supposed to be compatible with Heimdal’s, but based on documentation it appears that it may not be.
The default value of KRB5CCNAME is simply KCM: It had better be user-specific, or everybody shares a collection.
geneva:~/kerberos> klist -A
Ticket cache: KCM:1000:737
Default principal: hedrick@CS.RUTGERS.EDU<mailto:hedrick@CS.RUTGERS.EDU>
Valid starting Expires Service principal
07/22/2019 12:35:34 07/22/2019 20:33:37 krbtgt/CS.RUTGERS.EDU@CS.RUTGERS.EDU<mailto:krbtgt/CS.RUTGERS.EDU@CS.RUTGERS.EDU>
renew until 07/16/2020 09:53:19
geneva:~/kerberos> setenv KRB5CCNAME KCM:1000
geneva:~/kerberos> klist
klist: No credentials cache found
geneva:~/kerberos> setenv KRB5CCNAME KCM:
geneva:~/kerberos> klist
Ticket cache: KCM:1000:737
Default principal: hedrick@CS.RUTGERS.EDU<mailto:hedrick@CS.RUTGERS.EDU>
Valid starting Expires Service principal
07/22/2019 12:35:34 07/22/2019 20:33:37 krbtgt/CS.RUTGERS.EDU@CS.RUTGERS.EDU<mailto:krbtgt/CS.RUTGERS.EDU@CS.RUTGERS.EDU>
renew until 07/16/2020 09:53:19
I don’t know how it’s implemented, but it behaves as if KCM:1000 is a specific cache, and only KCM: can access the whole collection.
Note that root can’t read other user’s caches, so in a daemon I have to use setreuid to change to a user and then look at KCM:
I get the same results on my Mac if I use a Macports port of MIT Kerberos. With the builtin utilies I can’t make KCM work at all.
On Jul 22, 2019, at 1:00 PM, Greg Hudson <ghudson@mit.edu<mailto:ghudson@mit.edu>> wrote:
The KCM daemon's namespace is machine-global, not uid-specific, and I
don't think doing setruid() would be visible to the daemon anyway (it
should see the euid of the client, not the ruid).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
