Elaborate on when cred_store = ccache:... should be used

[frozencemetery]

Current docs aren't very clear about when to use this. As a result, reasonable users often make the assumption that this should be something like cred_store = ccache:/tmp/krb5cc_%u or cred_store = ccache:KEYRING:%u or what have you.

We should make explicit what this is actually intended for and that it shouldn't be otherwise used.

[jbazik]

So, it shouldn't be this?

cred_store = ccache:FILE:/tmp/krb5cc_%U
allow_any_uid = yes

I was expecting gssproxy to chown the ccache to the user, which it doesn't do.

[jbazik]

I think I understand now that the cred_store ccache is for gssproxy's internal use. After I got things working, I could see in strace that gssd actually creates the ccache file in /tmp for the user. Or is it the interposer code that does that? I'm still not sure if or why I should set this setting, but I have it working.

[simo5]

@jbazik this i used by gss-proxy to perform operations like impersonation as they are split over multiple iterations and need a stored ccache to continue the operation.
It is not needed for all gss-proxy operations

[Saffa001]

Hello every one, Is there any document to validate GSSPROXY working? I have RHEL8 and Kerberos with GSSAPI and dotnet app.
It has been a Month i could not get it work. Any help would be appreciated. Thanks

[simo5]

What we have here: https://github.com/gssapi/gssproxy/tree/main/docs is all we have really.

[Saffa001]

Understood, Thank you. I was thinking maybe someone has knowledge base website to share so i may able to get this to work.