[39617] in Kerberos
Re: krb5ccmachine
daemon@ATHENA.MIT.EDU (=?utf-8?q?Marek_Gre=C5=A1ko_via_Ke)
Mon Apr 27 13:02:47 2026
Date: Mon, 27 Apr 2026 17:02:24 +0000
To: "Christian, Mark" <mark.christian@intel.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Message-ID: <YjndUr_KkGoKxdmZ3hURCzUX_5uMB8a74w8WcBsrgi0-nk-VPxuk0ccdGoMrqiWQV-gpG2WUbNdfQUbBrmWbLZA5ik87NIcfPR4fJf4UfRQ=@protonmail.com>
In-Reply-To: <bdfd7ab3a1a76bbd5abb3ae219c5cebce8d2621a.camel@intel.com>
MIME-Version: 1.0
From: =?utf-8?q?Marek_Gre=C5=A1ko_via_Kerberos?= <kerberos@mit.edu>
Reply-To: =?utf-8?Q?Marek_Gre=C5=A1ko?= <marek.gresko@protonmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
so for klist it seems it is generated by gssproxy, because there is nfs/ ticket.
Regarding gssproxy.conf I have the file /etc/gssproxy/99-network-fs-clients.conf containing:
[service/network-fs-clients]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
min_lifetime = 60
But apparently it is not using the path. I also did not find how to specify path for machine ccache. Even better, if I could convince machine ccache to be also stored in KCM. Is it possible?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
pondelok 27. apríla 2026, 16:19, Christian, Mark <mark.christian@intel.com> napísal/a:
> On Mon, 2026-04-27 at 04:38 +0000, Marek Greško wrote:
> > Hello,
> >
> > the
> > kinit -c /tmp/krb5ccmachine_EXAMPLE.COM
> > asks for password. Which password? What should I expect thereafter to
> > happen?
>
> Sorry I meant for you to use klist, not kinit:
>
> % klist -c /tmp/krb5ccmachine_EXAMPLE.COM
>
> >
> > I also asked AI to help me on the original issue. It thinks it is
> > related to gssproxy and most probably it is right. It stated there is
> > not nuch to do and I should accept the current state. But I feel a
> > little bit unhappy, since it creates file with predictable name in
> > the /tmp and it could be a security risk.
>
> see man gssproxy.conf for details on howto configure the location of
> cred_store / ccache.
>
> Mark
>
>
> >
> > Thanks
> >
> > Marek
> >
> >
> >
> > Odoslané pomocou bezpečného emailu Proton Mail.
> >
> > piatok 24. apríla 2026, 16:02, Christian, Mark
> > <mark.christian@intel.com> napísal/a:
> >
> > > On Fri, 2026-04-24 at 10:44 +0000, Marek Greško via Kerberos wrote:
> > > > Hello,
> > > >
> > > > I have configured kerberos client on Fedora 43. I configured
> > > > kerberos
> > > > to use KCM: ccache. Users ccaches are in KCM, but I always see
> > > > the
> > > > file /tmp/krb5ccmachine_EXAMPLE.COM created. Why is this file
> > > > created?
> > >
> > > Perhaps related to your kerberos NFS configuration? Inspect the
> > > cache,
> > > kinit -c /tmp/krb5ccmachine_EXAMPLE.COM, doing so might clue you
> > > in.
> > >
> > > Mark
> > >
> > > > What mechanism does not use KCM and how could it be convinced to
> > > > do
> > > > so?
> > > >
> > > > Thanks
> > > >
> > > > Marek
> > > > ________________________________________________
> > > > Kerberos mailing list Kerberos@mit.edu
> > > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> > > ________________________________________________
> > > Kerberos mailing list Kerberos@mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
