> On Oct 4, 2023, at 00:07, Lukas Slebodnik <[email protected]> wrote:
>
> On (03/10/23 21:15), Francis Augusto Medeiros-Logeay wrote:
>> Hi,
>>
>> We had a mechanism to allow users to mount their directory by using a user
>> systemd service that runs mount (with sudo).
>>
>> Since we use kerberos on that operation, we’d add
>>
>> Defaults env_keep += «KRB5CCNAME"
>>
>> To a sudoers.d file.
>>
>> This worked pretty well, but then we moved to KCM: instead of FILE:.
>>
>> Is there a way we can preserve access to KCM tickets for a user when he uses
>> sudo?
>>
>
> Ticket are preserved.
> But sssd-kcm generate "search path" based on connected client
> and if you run it with sudo UID changes e.g.
> ```
> sh$ KRB5CCNAME=KCM:1000:35443 klist -l
> Principal name Cache name
> -------------- ----------
> [email protected] KCM:1000:35443 (Expired)
> ```
>
> and now with sudo
> ```
> sh$ KRB5CCNAME=KCM:1000:35443 sudo --preserve-env=KRB5CCNAME klist -l
> Principal name Cache name
> -------------- ----------
> ```
Thanks a lot Lukas!
I wonder how we can fill up KRB5CCNAME. I have the feeling that this is filled
up automatically when FILE: is used (with /tmp/krb5ccnamexxx, for example). But
with KCM I just get an empty KCM: with the variable. Is this something I can
configure on krb5.conf?
Best,
Francis
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
