MIT Interop - Heimdal Kerberos does not work with the MIT KEYRING type of credentials cache

[quanah]

Heimdal linked cyrus-sasl GSSAPI modules fail to work with many RHEL based MIT Kerberos systems due to the fact that RHEL defaults to using the KEYRING type credential cache (More at http://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html). This is a Linux specific method. The lack of ability to interoperate is of course rather frustrating to admins. It would be extremely useful for the next release of Heimdal to include support for KEYRING credential caches.

[nicowilliams]

Sure, we should interop with the MIT KEYRING ccache type. Does anyone have patches for this?

[quanah]

I don't. :/ I just recently encountered this when trying to get a client compiled against MIT Krb (ldapsearch) to work with a server compiled with Heimdal Krb (OpenLDAP's slapd linked to cyrus-sasl that was linked to heimdal).

[quanah]

Note: breaks interop with default RHEL configs

[jaltman]

@quanah sure. but someone needs to write the necessary code. If there is an organization that wants this functionality, they can provide code or money.

[quanah]

Yeah, I was just mainly trying to update the title of the bug so that people could find it easily if they hit the issue, but that change seems to have gotten lost. :/

[quanah]

There, fixed that now. ;)

[prmarino1]

FYI
there may be a workaround for this with MIT Kerberos 1.13 or higher.
the is from the release for MIT Kerberos 1.13 released in October of 2014
"Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type."
while it does not solve the issue it is a viable work around.

[jaltman]

FYI: Fedora is planning to implement a KCM server as part of sssd and then make KCM the default credential cache type
https://fedorahosted.org/sssd/wiki/DesignDocs/KCM
https://fedoraproject.org/wiki/Changes/KerberosKCMCache

[nicowilliams]

I happen to be working on an extension to the FILE ccache that stores a large hash table in a ccconfig entry. The hash table is O(1) and lock-less for both, reading and writing. The thought occurs that when I'm done with this, we can use that for the KEYRING ccache type...

[quanah]

@nicowilliams that's awesome!

[jaltman]

@lhoward is implementing KEYRING ccache support for Heimdal work that would interest you?

[lhoward]

Sure, is it something there is a demand for or has KCM/sssd subsumed this?

[nicowilliams]

That's a question for the RedHat crowd. I'm asking on the #krbdev IRC room (on freenode).

[nicowilliams]

I'm told that yes, the KEYRING ccache is widely in use.

[quanah]

@nicowilliams As I noted back when I filed this issue, KEYRING is literally the default cache mechanism in RHEL7. Not sure about other linux distributions. So it's not a surprise to me it's widely in use. ;)

[lhoward]

MIT keyring ccache code looks pretty hairy, it would take some time to reverse-engineer a spec from it. I suppose we want a new implementation right, rather than porting the MIT code?

[nicowilliams]

Porting the MIT implementation is fine, IMO.

[lhoward]

That would be the quickest. I can certainly clean it up a bit whilst doing so, of course. The only other MIT copyright I can is in kafs FWIW, though. And I know @jaltman does like diversity of implementation where possible (given he is paying for it, I'll wait for his advice, although porting the MIT implementation is certainly likely to be less work!).

[nicowilliams]

http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache

[jaltman]

I'm fine with pulling in the MIT implementation tweaked for Heimdal. Its a platform specific implementation of a credential cache without a well defined standard.

[lhoward]

Integration progress:

% ../../kuser/heimtools list
Credentials cache: KEYRING:legacy::tkt
        Principal: lukeh@LUKKTONE.COM

  Issued                Expires               Principal
Dec 19 23:32:47 2018  Dec 20 23:32:45 2018  krbtgt/LUKKTONE.COM@LUKKTONE.COM

[lhoward]

Integrated in fb81598