URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
> > while testing this PR it looks like `KRB5CCNAME` is not respected. If there
> > user uses a different ccache type as defined in `/etc/krb5.conf` or if with
> > `default_ccache_name = FILE:/tmp/krb5cc_%{uid}_XXXXXX` the ccache name has
> > a random component authentication does not work.
>
> Hmm, nice catch. Unfortunately sudo resets the environment before PAM
> invocation so KRB5CCNAME is not available for the PAM module. It can be made
> available by adding it to env_keep in /etc/sudoers but this will also make it
> available in the called process and this is probably not what we want so we
> will have to patch sudo to keep this variable for PAM. I'll ask sudo upstream
> what are our options.
>
Hi,
this is during authentication and at this stage the enviroment is not cleaned
up.
If I use `default_ccache_name = FILE:/tmp/krb5cc_%{uid}_XXXXXX` the module
fails and `sudo` will ask for a password, if I check the enviromnet at this
stage I see:
# cat /proc/$(pidof sudo)/environ |tr '\0' '\n' | grep KRB
KRB5CCNAME=FILE:/tmp/krb5cc_1367201104_K74YJ1
so I guess `$KRB5CCNAME` is available.
HTH
bye,
Sumit
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5367#issuecomment-734371711
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
