Bug 7507 - tl-kinit.sh/kinit problem with heimdal and default ccname
Summary: tl-kinit.sh/kinit problem with heimdal and default ccname
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Misc (show other bugs)
Version: 4.10.0
Hardware: PC Linux
: P2 Normal
Target Milestone: MediumPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-29 13:48 CEST by tobias.haas
Modified: 2020-06-02 12:58 CEST (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Patched tl-kinit.sh (843 bytes, application/x-shellscript)
2020-05-29 13:48 CEST, tobias.haas 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description tobias.haas 2020-05-29 13:48:38 CEST 
Created attachment 960 [details]
Patched tl-kinit.sh

Testing thinlinc on Debian Buster with KCM we noticed that heimdal kinit ignores the KRB5CCNAME environment varible if 

[appdefaults]
ccache = KCM:%u...

is set in /etc/krb5.conf (it always uses the default value in our setup). Thus, tl-kinit.sh generates a ticket cache in the wrong place. We suggest setting the path explicitly using kinit -c "${KRB5CCNAME}", see attachment. This fixes the problem in our setup. As far as I know, this option should be the same for heimdal and MIT and I don't see anything that should be broken using -c option.
Comment 1 Pierre Ossman cendio 2020-05-29 13:51:33 CEST 
Won't applications ignore $KRB5CCNAME the same way kinit does in those cases?
Comment 2 tobias.haas 2020-05-29 14:09:09 CEST 
I didn't notice that this is the case. For example klist uses the value in the variable. To me it seems that only on ticket creation the option is applied. But I'm no expert in this topic.
Comment 3 tobias.haas 2020-05-29 14:23:20 CEST 
Further tests with kdestroy, ldapsearch and Thunderbird (gssapi) gave the same result. They use the value in the variable and not the default value in krb5.conf.
Note You need to log in before you can comment on or make changes to this bug.