On ti, 13 joulu 2016, Alexander Bokovoy wrote:
On ti, 13 joulu 2016, Vít Ondruch wrote:
Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
On 12/12/2016 04:53 AM, Vít Ondruch wrote:
So several questions:
1) When I have 2 domains I login to with kerberos, how to really make it
work. I don't want to kswitch all the time. I am using Kerberos to
authenticate my email client, so I want to keep it working all the time.
There are patches still coming that will switch the fedora packaging tools to
use GSSAPI rather than Kerberos directly, which will handle auto-selecting the
right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk (CCed)
was looking into it.
I am probably missing something, but if I am not mistaken, the primary
ticket depends on order of my kinit calls and I am using several apps
which needs kerberos authentication, so I can hardly see how fedora
packaging tools changes can solve the major issue, i.e. if I do kinit
vondr...@fedoraproject.org, this ticket becomes the primary ...
The story is always more complex than it seems.
There is Kerberos protocol. There is also GSSAPI interface that allows
to wrap Kerberos use under a more general security exchange means. While
Kerberos tools can deal with multiple credential caches in the
collection only by addressing the currently selected credentials cache,
GSSAPI-aware applications enjoy ability to chose which credentials cache
from the collection to use based on the realm of the target service.
Koji with a patch to use python-gssapi will have ability to choose the
credentials cache automatically based on the realm of the target
service, regardless of what credentials cache is active right now in the
collection. The version in Fedora right now (1.11.0-1.fc25) is not yet
built with the patch to use python-gssapi.
A small correction: koji 1.11.0-1.fc25 does use python-requests-kerberos which
uses python-kerberos which is using GSSAPI C library. I verified that
koji in Fedora 25 does work with credentials cache collections and
properly chooses the credentials cache which is not the one currently
active.
However, default Fedora 25 configuration[1] does not set the default ccache
name to a collection, only FreeIPA client installer does this.
As result, if you have no
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
in your krb5.conf, you are using the defaults compiled into libkrb5
which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a credentials
cache _collection_ and cannot store multiple credentials from multiple
realms.
So, if you'd change default_ccache_name to a KEYRING:..-based version
and re-logon, you'll be able to maintain multiple credentials caches at
the same time.
[1] http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
