Am Wed, Oct 04, 2023 at 10:28:00AM +0200 schrieb Francis Augusto Medeiros-Logeay: > > > > On Oct 4, 2023, at 00:07, Lukas Slebodnik <[email protected]> wrote: > > > > On (03/10/23 21:15), Francis Augusto Medeiros-Logeay wrote: > >> Hi, > >> > >> We had a mechanism to allow users to mount their directory by using a user > >> systemd service that runs mount (with sudo). > >> > >> Since we use kerberos on that operation, we’d add > >> > >> Defaults env_keep += «KRB5CCNAME" > >> > >> To a sudoers.d file. > >> > >> This worked pretty well, but then we moved to KCM: instead of FILE:. > >> > >> Is there a way we can preserve access to KCM tickets for a user when he > >> uses sudo? > >> > > > > Ticket are preserved. > > But sssd-kcm generate "search path" based on connected client > > and if you run it with sudo UID changes e.g. > > ``` > > sh$ KRB5CCNAME=KCM:1000:35443 klist -l > > Principal name Cache name > > -------------- ---------- > > [email protected] KCM:1000:35443 (Expired) > > ``` > > > > and now with sudo > > ``` > > sh$ KRB5CCNAME=KCM:1000:35443 sudo --preserve-env=KRB5CCNAME klist -l > > Principal name Cache name > > -------------- ---------- > > ``` > > > Thanks a lot Lukas! > > I wonder how we can fill up KRB5CCNAME. I have the feeling that this > is filled up automatically when FILE: is used (with > /tmp/krb5ccnamexxx, for example). But with KCM I just get an empty > KCM: with the variable. Is this something I can configure on > krb5.conf?
Hi, no, this won't help. KCM was designed (not by us) it be a single credential cache collection for the current user. This means that the UID of the current user is taken to select the collection and then every ticket of this user will be accessible. As Lukas already pointed out which sudo you are changing the user. For file you were lucky since the user you have changed to is root which can read all files by default and as a result the FILE ccache as well. KCM, by design, does not allow root to read tickets of other users. bye, Sumit > > Best, > Francis > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
