On Tue, 22 Aug 2017, Russ Allbery wrote:
Matthew Gabeler-Lee <chee...@fastcat.org> writes:
1) The documentation claims you can set the credential cache filename in
krb5.conf, but this appears to be a lie. If you don't give the pam ccache=
option, then it uses a hard coded string to form the cache filename,
disregarding any settings in krb5.conf.
Could you show me your krb5.conf file where you tried to set this?
[libdefaults]
default_realm = our.active.directory.realm
dns_lookup_realm = false
dns_lookup_kdc = true
# added this line:
default_cc_name = /tmp/krb5cc_%{uid}
I also tried without the path and with %u instead of %{uid}. None of it
worked. I resorted to UTSL, and was not surprised it hadn't worked:
setcred.c, function build_ccache_name:
if (args->config->ccache == NULL) {
retval = asprintf(&cache_name, "%s/krb5cc_%d_XXXXXX",
args->config->ccache_dir, (int) uid);
// ...
From what I can see, there is simply no case in this package's code
where it visibly reads the krb5.conf file, nor where it allows the krb5
implementation library to use whatever defaults are in krb5.conf. It
always seems to give an explicit filename to the krb5 library that will
override whatever is in krb5.conf.
Yeah, this is how the PAM update system works. I can't change this as a
PAM package maintainer (and there are a bunch of reasons why it works this
way).
For my edification, can you explain why /usr/share/pam-configs/krb5
can't be made a conffile? It would solve this frustration, and some
related frustrations I've had with other libpam-foo packages. I assume
there is a good reason for it, it's just not obvious to me what that is.
--
-Matt
"Reality is that which, when you stop believing in it, doesn't go away".
-- Philip K. Dick
GPG fingerprint: 0061 15DF D282 D4A9 57CE 77C5 16AF 1460 4A3C C4E9
