Matthew Gabeler-Lee <chee...@fastcat.org> writes:
> [libdefaults]
> default_realm = our.active.directory.realm
> dns_lookup_realm = false
> dns_lookup_kdc = true
> # added this line:
> default_cc_name = /tmp/krb5cc_%{uid}
> I also tried without the path and with %u instead of %{uid}. None of it
> worked.
You'd also mentioned that you had read the man page about this, so I think
there's a bug here in the man page and how it discusses options that I'd
love to try to fix. It looks like the way to do this wasn't obvious
enough. The key bit, though, is here:
To set an option for the PAM module in the system krb5.conf file, put that
option in the [appdefaults] section. All options must be followed by an
equal sign (=) and a value, so for boolean options add "= true". The
Kerberos PAM module will look for options either at the top level of the
[appdefaults] section or in a subsection named "pam", inside or outside a
section for the realm. For example, the following fragment of a krb5.conf
file would set forwardable to true, minimum_uid to 1000, and set
ignore_k5login only if the realm is EXAMPLE.COM.
[appdefaults]
forwardable = true
pam = {
minimum_uid = 1000
EXAMPLE.COM = {
ignore_k5login = true
}
}
So the way to set the Kerberos ticket cache is:
[appdefaults]
pam = {
ccache = /tmp/krb5cc_%u
}
This *should* work; please let me know if it doesn't. And let me know if
there's a way that I can make this information easier to find in the man
page.
I should probably also call out that the PAM module doesn't use the
library default ccache location. (I should also remember why I did that;
I know I had a specific reason, but I don't remember what it was.)
> From what I can see, there is simply no case in this package's code
> where it visibly reads the krb5.conf file, nor where it allows the krb5
> implementation library to use whatever defaults are in krb5.conf.
That code is in options.c and pam-util/options.c, which will set
args->config->ccache from krb5.conf settings.
> For my edification, can you explain why /usr/share/pam-configs/krb5
> can't be made a conffile? It would solve this frustration, and some
> related frustrations I've had with other libpam-foo packages. I assume
> there is a good reason for it, it's just not obvious to me what that is.
Files in /usr are not permitted to be configuration files.
Now, the other question is why these files aren't in /etc somewhere, which
would allow them to be conffiles and configuration files. That's a good
question -- I don't really know off the top of my head why it was defined
that way. I'm pretty sure it was discussed in the original PAM
configuration proposal for pam-auth-update. The intent was that this
system should only be used if you want a fully-default PAM configuration
given the modules you have installed, but I'm not sure why that was the
intent.
The PAM maintainer would need to be the one to make that change to move
the files, if they could be convinced to do so (and would be more familiar
with the pros and cons).
Anyway, that's the reason why I've always written my Kerberos-related PAM
modules such that all configuration that makes any sense to set globally
on the system can be set in krb5.conf. That avoids the problem by not
requiring anything modify the PAM configuration.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
