-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MIT Interop - Heimdal Kerberos does not work with the MIT KEYRING type of credentials cache #166
Comments
Sure, we should interop with the MIT |
I don't. :/ I just recently encountered this when trying to get a client compiled against MIT Krb (ldapsearch) to work with a server compiled with Heimdal Krb (OpenLDAP's slapd linked to cyrus-sasl that was linked to heimdal). |
Note: breaks interop with default RHEL configs |
@quanah sure. but someone needs to write the necessary code. If there is an organization that wants this functionality, they can provide code or money. |
Yeah, I was just mainly trying to update the title of the bug so that people could find it easily if they hit the issue, but that change seems to have gotten lost. :/ |
There, fixed that now. ;) |
FYI |
FYI: Fedora is planning to implement a KCM server as part of sssd and then make KCM the default credential cache type |
I happen to be working on an extension to the |
@nicowilliams that's awesome! |
@lhoward is implementing KEYRING ccache support for Heimdal work that would interest you? |
Sure, is it something there is a demand for or has KCM/sssd subsumed this? |
That's a question for the RedHat crowd. I'm asking on the #krbdev IRC room (on freenode). |
I'm told that yes, the KEYRING ccache is widely in use. |
@nicowilliams As I noted back when I filed this issue, KEYRING is literally the default cache mechanism in RHEL7. Not sure about other linux distributions. So it's not a surprise to me it's widely in use. ;) |
MIT keyring ccache code looks pretty hairy, it would take some time to reverse-engineer a spec from it. I suppose we want a new implementation right, rather than porting the MIT code? |
Porting the MIT implementation is fine, IMO. |
That would be the quickest. I can certainly clean it up a bit whilst doing so, of course. The only other MIT copyright I can is in kafs FWIW, though. And I know @jaltman does like diversity of implementation where possible (given he is paying for it, I'll wait for his advice, although porting the MIT implementation is certainly likely to be less work!). |
I'm fine with pulling in the MIT implementation tweaked for Heimdal. Its a platform specific implementation of a credential cache without a well defined standard. |
Integration progress:
|
Integrated in fb81598 |
Heimdal linked cyrus-sasl GSSAPI modules fail to work with many RHEL based MIT Kerberos systems due to the fact that RHEL defaults to using the KEYRING type credential cache (More at http://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html). This is a Linux specific method. The lack of ability to interoperate is of course rather frustrating to admins. It would be extremely useful for the next release of Heimdal to include support for KEYRING credential caches.
The text was updated successfully, but these errors were encountered: