[38590] in Kerberos
Re: krb5 library missing functions for collections
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Mon Jul 29 14:35:56 2019
From: Robbie Harwood <rharwood@redhat.com>
To: Greg Hudson <ghudson@mit.edu>, Charles Hedrick <hedrick@rutgers.edu>
In-Reply-To: <c423f542-1a67-0060-fc4b-bf65cccb4f92@mit.edu>
Date: Mon, 29 Jul 2019 14:35:40 -0400
Message-ID: <jlglfwgvgcj.fsf@redhat.com>
MIME-Version: 1.0
Cc: Jakub Hrozek <jhrozek@redhat.com>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="===============4372756789987742137=="
Errors-To: kerberos-bounces@mit.edu
--===============4372756789987742137==
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512;
protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Greg Hudson <ghudson@mit.edu> writes:
> On 7/22/19 1:39 PM, Charles Hedrick wrote:
>
>> Please be aware that I=E2=80=99m using Redhat=E2=80=99s KCM implementati=
on in
>> sssd. It=E2=80=99s supposed to be compatible with Heimdal=E2=80=99s, but=
based on
>> documentation it appears that it may not be.
>>=20
>> The default value of KRB5CCNAME is simply KCM: =C2=A0It had better be
>> user-specific, or everybody shares a collection.
>
> The Heimdal KCM implements a single global collection with access
> control on individual caches, with the euid and egid of the client as
> the access keys. If a client doesn't have access to a cache, it isn't
> visible in the collection as presented to that client. Clients can
> only create ccaches with names beginning with their "<euid>:" prefix.
>
> In practice, users other than root will typically see disjoint
> collections, where each cache name begins with the client's euid. But
> that's not a fundamental property of the daemon, and therefore not an
> assumption of either the MIT krb5 or Heimdal client code.
>
> One could conceivably build this namespace assumption into the client,
> retrofitting it to treat "KCM:uid" as a collection by filtering out
> caches whose names don't begin with the uid prefix. Unfortunately
> that wouldn't be 100% backward-compatible, as the Heimdal kcm daemon
> allows clients to create individual caches named with only the euid
> (with no ":" afterwards). Perhaps that's not important, though.
>
> The sssd KCM may have different semantics from Heimdal's. If it doesn't
> let root see caches owned by other uids, then that would also have to be
> changed to allow "KCM:uid" to work for root.
(CCing Jakub in case I miss anything here.)
To my reading, SSSD's KCM deliberately allows root to access all ccaches
but not list them. See
https://github.com/SSSD/sssd/blob/master/src/responder/kcm/kcmsrv_ccache.h#=
L75-L80
and
https://github.com/SSSD/sssd/blob/master/src/responder/kcm/kcmsrv_ccache.h#=
L144-L156
Thanks,
=2D-Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAl0/PHwACgkQJTL5F2qV
pEJPNxAAo5Oa0QhRfvoOGiD2RqTVoa9LxoISk5wQR35e1TRcfm1kACtqVamS6hJm
ngUYtbsdomsWVuL6s9G4SFYS3z48ZBhdftTQrS/2+EqutCeElCkvGtb4dV5gNfkO
1KJ0LIFSlPGtcPvGesjhebJUznn2rvfjcPypRkGR1UHMhMn0LTyt5JIoFmPik+ax
zfSJVJoOTa4t5yrHKjnypeu9YqciSyArjGJjTPQKIiYMUC+jILpiX0QdkUAXTaeP
aQIgq4hB3t6vDm1PH96QCcJe52cprHYkz+dDsR+NYXxet4BoCPaBsU9KRV9pA+wD
RHv2qbJh7RNa27WjaXBcZGsN9NMJaTInDpnjz5+5KT3zej8u/fG4Pr3j05atRbmd
+FhCQ3dSPB1sEj+hoiSq1UKa2HDmzByF6+Ip0VmHtt3m0x3kwpZJU+3LY6qABy1g
NxA5b65/AkpBtDBe3imy+RRxolY6dw2BOkM4JLslrTCA3nzBE1c06DAHLvS2r7Ha
gHNKm8utSL7JScLnsc5pt5kZN8aTXN9ZZP7cZ8I0ZxosPCN73stX+/hFaVgxQd4l
CgTuma6f2x76AbQl5loRcxcmVzugQNZEhA+ZypB2S6Fj1+E+GYQsviswd+5x4v1h
3P4k/i5zdqEFQLhpsQpSqiUaMxXPmB1KSFt6U8gidCRR/sbTBzE=
=vUaE
-----END PGP SIGNATURE-----
--=-=-=--
--===============4372756789987742137==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============4372756789987742137==--
