On Wed, 2009-11-11 at 17:27 -0500, Brian J. Murrell wrote: > > If > > you want to renew the TGT with every authentication you have to use > a > > per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. > > I don't think so. I think even a per-login-session ccache file that > will be created by a gnome session should work if sssd is correctly > renewing the TGT, because the same ccache file that was created by gdm > should be updated by gnome-screensaver.
I have tested this yesterday (with git master), if you set FILE:% d/krb5cc_%U sssd will happily refresh the crdentials at screen unlock. Unfortunately the code and the docs disagree on the parm name but we already have a patch on the list to fix this. > > We are currently discussing how to handle renewals in a more general > way > > so that it would be possible to renew FILE:%d/krb5cc_%U_XXXXXX-style > > files too. > > I really don't see why these FILE:%d/krb5cc_%U_XXXXXX-style files > would > not renew in the context of a gnome session. Because sssd is generating a new one each time for now (yes it's a bug). > On the other hand, I don't really see the purpose of FILE:%d/krb5cc_% > U_XXXXXX-style files where every login session is a new ccache. > > Can anyone share a use-case where this is needed? Well I think people were worried that using a predictable name (krb5cc_% U) could be used by malicious user to mount symlink race attacks. We have just copied what is already an available scheme for the krb5 libraries, although we might switch to a default of FILE:%d/krb5cc_%U for the 1.0 release to avoid issues. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel