Nathaniel McCallum: Better Resolution of Kerberos Credential Caches

DevConf is a great time of year. Lots of developers gather in one place and we
get to discuss integration issues between projects that may not have a direct
relationship. One of those issues this year was the desktop integration of
Kerberos authentication.

GNOME Online Accounts has supported the creation of Kerberos accounts
since nearly the beginning, thanks to the effort of Debarshi Ray.
However, we were made aware of an issue this year that had not come up before.
Namely, in a variety of cases GSSAPI would not be able to complete
authentication for non-default TGTs.

Roughly, this meant that if you logged into Kerberos using two different
accounts GSSAPI would only be able to complete authentication using your
default credential cache – meaning the last account you logged into. Users
could work around this problem by using kswitch to change their default
credential cache. However, since authentication transparently failed, there
was no indication to the user that this could work. So the user experience was
particularly poor.

This difficulty became even more noticable after the Fedora deployment of
by Patrick Uiterwijk. Many Fedora developers
also use Kerberos for other realms, so the pain was spreading.

I am happy to say that we have discovered a cure for this malady!

Matt Rogers worked with upstream to merge this patch which
causes GSSAPI to do the RightThing™. Robbie Harwood landed the
patch in Fedora (rawhide, 26, 25). So we believe this issue to be resolved.

If you’re a Fedora 25 user, please help us test the fix! There is a pending
update for krb5 on Bodhi. The easy way to reproduce this issue is as

  1. Log in with the Kerberos account you want to use for the test.
  2. Log in with another Kerberos account.
  3. Confirm that the second account is default with klist.
  4. Attempt to login to a service using the first credential and GSSAPI. The
    easiest way to do this is probably to go to a Kerberos protected website
    using your browser (assming it is properly configured for GSSAPI).
  5. Before the patch, automatic login should fail. Afterwards, it shouldn’t.


Source From:
Original article title: Nathaniel McCallum: Better Resolution of Kerberos Credential Caches.
This full article can be read at: Nathaniel McCallum: Better Resolution of Kerberos Credential Caches.


Random Article You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *