[PATCH] Do not use a central Kerberos ccache
Andreas Schneider
asn at samba.org
Sat Sep 24 00:04:11 UTC 2016
On Friday, 23 September 2016 07:40:57 CEST Andrew Bartlett wrote:
> On Fri, 2016-09-23 at 07:56 +0200, Andreas Schneider wrote:
> > Hello,
> >
> > we should not use a central Kerberos credential cache (st/krb5ticket)
> > but
> > instead have one per environment.
> >
> > The attached patch addresses this.
>
> This:
>
> $ENV{PREFIX} = $prefix;
> -$ENV{KRB5CCNAME} = "$prefix/krb5ticket";
> $ENV{PREFIX_ABS} = $prefix_abs;
>
> Seems to remove the code that forces the server processes to have a
> sensible ccache. After that code is removed, the KRB5CCNAME for the
> samba deamon seems to be ".samba" (I'm not sure by what mechanism
> however).
For ad_dc it should be st/ad_dc/krb5_ccache.samba but if it is only samba,
then in the setup process something is wrong.
Ok, I think I found it.
> I got that by spying in /proc/$PID/environ in a testenv
> before and after your patch.
>
> So I would prefer we kept that, but then had a teardown assertion
> (somehow) that it wans't used, either by the daemons or the
> provision/join process.
The thing is that not only the daemons use that cache but also the client
tools.
That's what I don't like.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selftest.patch
Type: text/x-patch
Size: 17315 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160924/c6cbfed1/selftest.bin>
More information about the samba-technical
mailing list