diff options
author | Simo Sorce <simo@redhat.com> | 2012-02-24 17:56:30 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2012-04-05 11:20:33 -0400 |
commit | 5286f86243c1a76f52a4ddb2f341f23762b068b5 (patch) | |
tree | fae078428302a42a1c11d25d0dce54cd20aa4acf /NOTES | |
parent | f021edb509584fdf300617ce9c969948c7492864 (diff) | |
download | gss-proxy-5286f86243c1a76f52a4ddb2f341f23762b068b5.tar.gz gss-proxy-5286f86243c1a76f52a4ddb2f341f23762b068b5.tar.xz gss-proxy-5286f86243c1a76f52a4ddb2f341f23762b068b5.zip |
add note about how to deal with ccache files
Diffstat (limited to 'NOTES')
-rw-r--r-- | NOTES | 15 |
1 files changed, 15 insertions, 0 deletions
@@ -28,3 +28,18 @@ - SPNEGO (any pseudo-mechanism) should not be proxied, as it will re-enter the mechglue and call the proxy(ies) if needed (or not) as appropriate. + + + - How to pass around ccaches ? + We simply don't. + 1. For a user, we should probably deny init_sec_context initially, but if we + allow it we need to create a ccache like + /var/lib/gssproxy/cc/krb5cc_<userename> + The user will not have direct access to the cache. + 2. For a normal service we will do the same, both accept and init contetx use + the configured keytab and the ccache will be in + /var/lib/gssproxy/cc/krb5cc_<servicename> + 3. For a trusted service we do the same as in 2. except when the service + asks us to init_sec_context as a user, in that case we will try to use the + user's ccache in /run/user/<username>/krb5cc, erroring out if it does not + exist or is expired. |