On Wed, 23 Aug 2017, Russ Allbery wrote:
You'd also mentioned that you had read the man page about this, so I think
there's a bug here in the man page and how it discusses options that I'd
love to try to fix. It looks like the way to do this wasn't obvious
enough. The key bit, though, is here: [snip]
Aah, now I see. Indeed I was a bit hasty when scanning the manpage for
the thing I wanted to change (I think I just searched for "krb5cc_"
since that's what I wanted to change).
This *should* work; please let me know if it doesn't.
Gave it a whirl, it works ... after I sort out my typos ;)
And let me know if
there's a way that I can make this information easier to find in the man
page.
A possible wording for the individual options that might help point
folks back at the krb5.conf explanation without being too wordy (since
it gets repeated a lot):
"This option can be set in the [appdefaults]/pam section or krb5.conf,
..."
I should probably also call out that the PAM module doesn't use the
library default ccache location. (I should also remember why I did that;
I know I had a specific reason, but I don't remember what it was.)
Agreed -- looking through the man page more carefully, I notice there is
some discussion about a similar issue relating to how realms are
handled, it would make sense to add a note about not using the normal
defaults to this parameter too.
Thinking it through, I have a hunch why using the default "just specific
to the UID" cache might be a bad idea if you don't have a daemon like
winbindd to help manage sessionss:
If you log in once, and then a second time, and then log out one of
those two sessions, that would empty/destroy the cache, leaving the
other session with no ticket(s). I just tested that, and indeed it is
the case.
(pam)_winbind(d) doesn't have this problem, I think because it uses the
daemon to be aware of the multiple sessions, so it can advise them if
they are the "last" one and thus whether the cache should be destroyed
or not when each sesssion exits.
But without that kind of support, it's a good reason to have pam_krb5
default to a per-session ticket cache. It complicates upcalls and
anything else that wants to leverage a session's ticket cache from
outside the session, but I'm not sure there's any easy way around that.
For my edification, can you explain why /usr/share/pam-configs/krb5
can't be made a conffile?
Files in /usr are not permitted to be configuration files.
Now, the other question is why these files aren't in /etc somewhere, which
would allow them to be conffiles and configuration files. That's a good
question -- I don't really know off the top of my head why it was defined
that way. I'm pretty sure it was discussed in the original PAM
configuration proposal for pam-auth-update. The intent was that this
system should only be used if you want a fully-default PAM configuration
given the modules you have installed, but I'm not sure why that was the
intent.
Thanks for explaining. I can run with that and see what I can find, and
maybe propose a change to the PAM maintainer(s).
--
-Matt
"Reality is that which, when you stop believing in it, doesn't go away".
-- Philip K. Dick
GPG fingerprint: 0061 15DF D282 D4A9 57CE 77C5 16AF 1460 4A3C C4E9
