Hi Vincent, I disagree about "usually", but I have a larger question, which is: why are you using gssproxy if you want the credentials in an easily accessible location? The entire point of the daemon is privilege separation.
Thanks, --Robbie On April 30, 2020 10:48:29 AM EDT, Vincent Danjean <[email protected]> wrote: >Package: gssproxy >Version: 0.8.0-1.1 >Severity: normal > > Hi, > > The default configuration file looks for kerberos credentials >in ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U but they usually >are in ccache:FILE:/tmp/krb5cc_%U > Is this configuration intended? Why? I had to change it, I found >the solution on several internet forum where it said that this is >an error in the default configuration. I'm not sure if this is the >case (an error) or if the default configuration file targets another >usage. > > Regards > Vincent > >-- System Information: >Debian Release: 10.3 > APT prefers stable >APT policy: (990, 'stable'), (500, 'stable-updates'), (500, >'oldstable-updates'), (500, 'testing'), (500, 'oldstable') >Architecture: amd64 (x86_64) > >Kernel: Linux 5.3.0-0.bpo.2-amd64 (SMP w/30 CPU cores) >Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, >TAINT_UNSIGNED_MODULE >Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), >LANGUAGE=C.UTF-8 (charmap=UTF-8) >Shell: /bin/sh linked to /bin/dash >Init: systemd (via /run/systemd/system) > >Versions of packages gssproxy depends on: >ii libc6 2.28-10 >ii libgssapi-krb5-2 1.17-3 >ii libgssrpc4 1.17-3 >ii libini-config5 0.6.1-2 >ii libk5crypto3 1.17-3 >ii libkrb5-3 1.17-3 >ii libpopt0 1.16-12 >ii libref-array1 0.6.1-2 >ii libselinux1 2.8-1+b1 >ii libverto1 0.3.0-2 > >gssproxy recommends no packages. > >gssproxy suggests no packages. > >-- Configuration Files: >/etc/gssproxy/99-nfs-client.conf changed: >[service/nfs-client] > mechs = krb5 > cred_store = keytab:/etc/krb5.keytab > cred_store = ccache:FILE:/tmp/krb5cc_%U > cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab > cred_usage = initiate > allow_any_uid = yes > trusted = yes > euid = 0 > > >-- no debconf information
