From 5286f86243c1a76f52a4ddb2f341f23762b068b5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 24 Feb 2012 17:56:30 -0500 Subject: add note about how to deal with ccache files --- NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'NOTES') diff --git a/NOTES b/NOTES index a88a538..c12bfe6 100644 --- a/NOTES +++ b/NOTES @@ -28,3 +28,18 @@ - SPNEGO (any pseudo-mechanism) should not be proxied, as it will re-enter the mechglue and call the proxy(ies) if needed (or not) as appropriate. + + + - How to pass around ccaches ? + We simply don't. + 1. For a user, we should probably deny init_sec_context initially, but if we + allow it we need to create a ccache like + /var/lib/gssproxy/cc/krb5cc_ + The user will not have direct access to the cache. + 2. For a normal service we will do the same, both accept and init contetx use + the configured keytab and the ccache will be in + /var/lib/gssproxy/cc/krb5cc_ + 3. For a trusted service we do the same as in 2. except when the service + asks us to init_sec_context as a user, in that case we will try to use the + user's ccache in /run/user//krb5cc, erroring out if it does not + exist or is expired. -- cgit