On Wed, 2009-11-11 at 19:03 -0500, Simo Sorce wrote: > > I have tested this yesterday (with git master), if you set FILE:% > d/krb5cc_%U sssd will happily refresh the crdentials at screen unlock.
Ahhh. ~light bulb goes on~ I am finally coming around to what you are saying. Wow. It's even more broken than I had feared. Certainly that the ccache filename gets regenerated on each authentication is very not so nice. Even if each "session" had a separate ccache courtesy of the _XXXXXX, it's imperative that each login session (including klist, kinit, gnome-screensaver via sssd, etc.) all use the same ccache file, all of the time. However, that said, I have tried removing the _XXXXXX uniqueness from the ccache filename but that does not alleviate my issue here. I now have: krb5_ccachedir = /tmp ; krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_ccname_template = FILE:%d/krb5cc_%U And yet I am still getting ccache files with the _XXXXXX postfix on them. I have even rebooted completely to ensure that there is nothing hanging around in memory causing this. > Because sssd is generating a new one each time for now (yes it's a bug). Yeah, just coming around to that concept. Sorry for being so dense. > Well I think people were worried that using a predictable name (krb5cc_% > U) could be used by malicious user to mount symlink race attacks. We > have just copied what is already an available scheme for the krb5 > libraries, although we might switch to a default of FILE:%d/krb5cc_%U > for the 1.0 release to avoid issues. Hrm. Yeah. On my non-sssd (pam_krb5) machine here, it's also a krb5cc_ %U_XXXXXX based filename, but everything here in an entire gnome-session is using the same file, over and over again. But I also note that on my non-sssd machines, every process has a KRB5CCNAME environment variable, very likely simply through inheritance from the process that started the entire login session. sssd logins don't seem to be setting this variable for the children to inherit which is likely the root of all of this issue. Even a simple ssh->sssd->bash does not populate the environment with a KRB5CCNAME variable. b.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel