Matthew Gabeler-Lee <chee...@fastcat.org> writes: > [libdefaults] > default_realm = our.active.directory.realm > dns_lookup_realm = false > dns_lookup_kdc = true > # added this line: > default_cc_name = /tmp/krb5cc_%{uid}
> I also tried without the path and with %u instead of %{uid}. None of it > worked. You'd also mentioned that you had read the man page about this, so I think there's a bug here in the man page and how it discusses options that I'd love to try to fix. It looks like the way to do this wasn't obvious enough. The key bit, though, is here: To set an option for the PAM module in the system krb5.conf file, put that option in the [appdefaults] section. All options must be followed by an equal sign (=) and a value, so for boolean options add "= true". The Kerberos PAM module will look for options either at the top level of the [appdefaults] section or in a subsection named "pam", inside or outside a section for the realm. For example, the following fragment of a krb5.conf file would set forwardable to true, minimum_uid to 1000, and set ignore_k5login only if the realm is EXAMPLE.COM. [appdefaults] forwardable = true pam = { minimum_uid = 1000 EXAMPLE.COM = { ignore_k5login = true } } So the way to set the Kerberos ticket cache is: [appdefaults] pam = { ccache = /tmp/krb5cc_%u } This *should* work; please let me know if it doesn't. And let me know if there's a way that I can make this information easier to find in the man page. I should probably also call out that the PAM module doesn't use the library default ccache location. (I should also remember why I did that; I know I had a specific reason, but I don't remember what it was.) > From what I can see, there is simply no case in this package's code > where it visibly reads the krb5.conf file, nor where it allows the krb5 > implementation library to use whatever defaults are in krb5.conf. That code is in options.c and pam-util/options.c, which will set args->config->ccache from krb5.conf settings. > For my edification, can you explain why /usr/share/pam-configs/krb5 > can't be made a conffile? It would solve this frustration, and some > related frustrations I've had with other libpam-foo packages. I assume > there is a good reason for it, it's just not obvious to me what that is. Files in /usr are not permitted to be configuration files. Now, the other question is why these files aren't in /etc somewhere, which would allow them to be conffiles and configuration files. That's a good question -- I don't really know off the top of my head why it was defined that way. I'm pretty sure it was discussed in the original PAM configuration proposal for pam-auth-update. The intent was that this system should only be used if you want a fully-default PAM configuration given the modules you have installed, but I'm not sure why that was the intent. The PAM maintainer would need to be the one to make that change to move the files, if they could be convinced to do so (and would be more familiar with the pros and cons). Anyway, that's the reason why I've always written my Kerberos-related PAM modules such that all configuration that makes any sense to set globally on the system can be set in krb5.conf. That avoids the problem by not requiring anything modify the PAM configuration. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>