[Bug 2775] Improve kerberos credential forwarding support

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2775

--- Comment #8 from Jakub Jelen <jjelen at redhat.com> ---
Thank you very much for review, trying the patch and valuable comments.

I did not know about krb5_cc_cache_match() function and it would
certainly make sense to reuse the same principal instead of creating a
new entry.

About the compatibility with older kerberoses, this is probably a
question on upstream. Here in Red Hat, we will probably not need to
support anything older than 1.15.

About switching to user context, we indeed to it, but at the time of
the credential creating, we can not switch both euid and real uid
permanently yet and kerberos code is using the real uids for the
template expansions.

As you describe for the KCM cache, it is not possible to use since it
does not have any collection that would be accessible from root and the
user under the same name, which I also consider as a bad design, but
the kerberos guys do not see it as an issue.

We used to set KRB5CCNAME, but it has its own drawbacks. After creating
the credention in collection, I did not find any unified way how to get
from kerberos the name of the containing collection, which I could use
for the above environment variable. There used to be several
workarounds for various collections (FILE, DIR, ...) and setting it
wrongly caused issues such as [1].

I will try to have a look into your proposed changes and incorporate
them into the patch.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1199363

-- 
You are receiving this mail because:
You are watching the assignee of the bug.