The client.keytab path is standard functionality provided by libkrb5.so in Ubuntu 18.04. Here is the relevant documentation:
http://manpages.ubuntu.com/manpages/bionic/man5/krb5.conf.5.html default_client_keytab_name This relation specifies the name of the default keytab for obtaining client credentials. The default is FILE:/etc/krb5/user/%{euid}/client.keytab. This relation is subject to parameter expansion (see below). New in release 1.11. It gets invoked by slapd when GSSAPI is specified as the sasl mechanism (e.g. with syncrepl). This was added as a feature to libkrb5 to streamline the process of automated authentication, so that people don't have to set up cron jobs to periodically run kinit. Regarding /tmp/krb5cc_*, that is the standard location for the credential cache file created by the kinit process. In this case, the equivalent of "kinit -k /etc/krb5/user/389/client.keytab" is done by slapd, leading to /tmp/krb5cc_389 being created. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
