DevConf is a great time of year. Lots of developers gather in one place and we
get to discuss integration issues between projects that may not have a direct
relationship. One of those issues this year was the desktop integration of
GNOME Online Accounts has supported the creation of Kerberos accounts
since nearly the beginning, thanks to the effort of Debarshi Ray.
However, we were made aware of an issue this year that had not come up before.
Namely, in a variety of cases GSSAPI would not be able to complete
authentication for non-default TGTs.
Roughly, this meant that if you logged into Kerberos using two different
accounts GSSAPI would only be able to complete authentication using your
default credential cache – meaning the last account you logged into. Users
could work around this problem by using
kswitch to change their default
credential cache. However, since authentication transparently failed, there
was no indication to the user that this could work. So the user experience was
I am happy to say that we have discovered a cure for this malady!
If you’re a Fedora 25 user, please help us test the fix! There is a pending
update for krb5 on Bodhi. The easy way to reproduce this issue is as
- Log in with the Kerberos account you want to use for the test.
- Log in with another Kerberos account.
- Confirm that the second account is default with
- Attempt to login to a service using the first credential and GSSAPI. The
easiest way to do this is probably to go to a Kerberos protected website
using your browser (assming it is properly configured for GSSAPI).
- Before the patch, automatic login should fail. Afterwards, it shouldn’t.
Source From: fedoraplanet.org.
Original article title: Nathaniel McCallum: Better Resolution of Kerberos Credential Caches.
This full article can be read at: Nathaniel McCallum: Better Resolution of Kerberos Credential Caches.