Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5480

Re: krb5ccmachine

From Simo Sorce <simo@redhat.com>
Newsgroups comp.protocols.kerberos
Subject Re: krb5ccmachine
Date 2026-04-27 13:30 -0400
Organization Red Hat
Message-ID <mailman.32.1777311067.1813.kerberos@mit.edu> (permalink)
References (1 earlier) <b364323c7b5350d9bef1dd767a8bb4476171219b.camel@intel.com> <-y-c4c5KAx_sZy5JJOgjg4ztnCM4RurxFAKV-mHiZrmNsG7BpEG2DihwKp5vPzpIus5Gx79JI4X7_RurezUzBunJXIJk1KCI4RUBIp2yujc=@protonmail.com> <bdfd7ab3a1a76bbd5abb3ae219c5cebce8d2621a.camel@intel.com> <YjndUr_KkGoKxdmZ3hURCzUX_5uMB8a74w8WcBsrgi0-nk-VPxuk0ccdGoMrqiWQV-gpG2WUbNdfQUbBrmWbLZA5ik87NIcfPR4fJf4UfRQ=@protonmail.com> <e19616d1a6bfc5e932cb71d4a33d961d3c91a73b.camel@redhat.com>

Show all headers | View raw

Gssproxy never stores caches in /tmp, that file is more likely created
by rpc.gssd the NFS Client daemon that handles GSSAPI authentication.

rpc.gssd is sadly stuck in time and forces the use of the FILE: ccache
through most of its code, which is why we intercept it with gssproxy
for some operations with user ccaches only.

HTH,
Simo.

On Mon, 2026-04-27 at 17:02 +0000, Marek Greško via Kerberos wrote:
> Hello,
> 
> so for klist it seems it is generated by gssproxy, because there is nfs/ ticket.
> 
> Regarding gssproxy.conf I have the file /etc/gssproxy/99-network-fs-clients.conf containing:
> 
> [service/network-fs-clients]
>   mechs = krb5
>   cred_store = keytab:/etc/krb5.keytab
>   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
>   cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
>   cred_usage = initiate
>   allow_any_uid = yes
>   trusted = yes
>   euid = 0
>   min_lifetime = 60
> 
> But apparently it is not using the path. I also did not find how to specify path for machine ccache. Even better, if I could convince machine ccache to be also stored in KCM. Is it possible?
> 
> Thanks
> 
> Marek
> 
> 
> 
> 
> Odoslané pomocou bezpečného emailu Proton Mail.
> 
> pondelok 27. apríla 2026, 16:19, Christian, Mark <mark.christian@intel.com> napísal/a:
> 
> > On Mon, 2026-04-27 at 04:38 +0000, Marek Greško wrote:
> > > Hello,
> > > 
> > > the
> > > kinit -c /tmp/krb5ccmachine_EXAMPLE.COM
> > > asks for password. Which password? What should I expect thereafter to
> > > happen?
> > 
> > Sorry I meant for you to use klist, not kinit:
> > 
> > % klist -c /tmp/krb5ccmachine_EXAMPLE.COM
> > 
> > > 
> > > I also asked AI to help me on the original issue. It thinks it is
> > > related to gssproxy and most probably it is right. It stated there is
> > > not nuch to do and I should accept the current state. But I feel a
> > > little bit unhappy, since it creates file with predictable name in
> > > the /tmp and it could be a security risk.
> > 
> > see man gssproxy.conf for details on howto configure the location of
> > cred_store / ccache.
> > 
> > Mark
> > 
> > 
> > > 
> > > Thanks
> > > 
> > > Marek
> > > 
> > > 
> > > 
> > > Odoslané pomocou bezpečného emailu Proton Mail.
> > > 
> > > piatok 24. apríla 2026, 16:02, Christian, Mark
> > > <mark.christian@intel.com> napísal/a:
> > > 
> > > > On Fri, 2026-04-24 at 10:44 +0000, Marek Greško via Kerberos wrote:
> > > > > Hello,
> > > > > 
> > > > > I have configured kerberos client on Fedora 43. I configured
> > > > > kerberos
> > > > > to use KCM: ccache. Users ccaches are in KCM, but I always see
> > > > > the
> > > > > file /tmp/krb5ccmachine_EXAMPLE.COM created. Why is this file
> > > > > created?
> > > > 
> > > > Perhaps related to your kerberos NFS configuration? Inspect the
> > > > cache,
> > > > kinit -c /tmp/krb5ccmachine_EXAMPLE.COM, doing so might clue you
> > > > in.
> > > > 
> > > > Mark
> > > > 
> > > > >  What mechanism does not use KCM and how could it be convinced to
> > > > > do
> > > > > so?
> > > > > 
> > > > > Thanks
> > > > > 
> > > > > Marek
> > > > > ________________________________________________
> > > > > Kerberos mailing list           Kerberos@mit.edu
> > > > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > > 
> > > > ________________________________________________
> > > > Kerberos mailing list           Kerberos@mit.edu
> > > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > > 
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: krb5ccmachine Simo Sorce <simo@redhat.com> - 2026-04-27 13:30 -0400

csiph-web