Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
pam_mktemp conflicts with GSSAPI and kerberos
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Tue Oct 16, 2012 11:04 pm    Post subject: pam_mktemp conflicts with GSSAPI and kerberos Reply with quote

I was trying to work my way through an openldap implementation for the first time and ran into a gotcha with using SASL/GSSAPI and kerberos as the underlying data security layer.

Kerberos ticket caches default to /tmp/krb5cc_<uid>_<random> for each user. You can allegedly set KRB5CCNAME to point to a FILE:/<something else> if you feel like juggling your creds, but this isn't a straightforward process to do for a service account like ldap since it is not set up for interactive logins.

If you have the mktemp USE flag enabled, your temp junk is parked under /tmp/.private/<username> now. However, the krb5 credentials cache still ends up in /tmp for interactive users after they do their first kinit (likely by invoking pam_krb5 during login). The trouble is that it appears that service accounts like ldap try to stick it under the .private directory for themselves and eventually run into a permissions issue trying to reset file ownership under the hood.

The symptoms are you try doing your first ldapsearch after getting the database loaded and slapd up and running. ldapsearch will error out mumbling something about a permissions error trying to create the replay cache.

The only workaround I see is to rip out pam_mktemp by disabling the mktemp USE flag.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum