Change default kerberos credential cache location to /run/user/<username>

FED01-Change-Kerberos-credential-cache-default-loca.patch

@@ -0,0 +1,53 @@
+From 8ae0fc769b419e16ce7804bd516f7c2d03ce8471 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 22 Feb 2012 07:53:56 -0500
+Subject: [PATCH] FEDORA: Change Kerberos credential cache default location
+
+On Fedora, we need to default to using /run/user/%u for credential
+caches for improved security and to simplify rpc.gssd locating the
+cache for use with NFS.
+---
+ src/man/sssd-krb5.5.xml          |    4 ++--
+ src/providers/krb5/krb5_common.c |    4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
+index 247337a90a80b078d0395b27a02e5ea2c72a5ce8..cc10dc149c407450a59f39ebc2de0ac95e33028e 100644
+--- a/src/man/sssd-krb5.5.xml
++++ b/src/man/sssd-krb5.5.xml
+@@ -148,7 +148,7 @@
+                             </citerefentry> for details) is created.
+                         </para>
+                         <para>
+-                            Default: /tmp
++                            Default: /run/user/%u
+                         </para>
+                     </listitem>
+                 </varlistentry>
+@@ -206,7 +206,7 @@
+                             used to create a unique filename in a safe way.
+                         </para>
+                         <para>
+-                            Default: FILE:%d/krb5cc_%U_XXXXXX
++                            Default: FILE:%d/krb5cc
+                         </para>
+                     </listitem>
+                 </varlistentry>
+diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
+index c2cb94b61463cbdaf3f4fa5a5cb311af55b4b960..e3a74697249a8dd10907beaeaef415a48c3c30a9 100644
+--- a/src/providers/krb5/krb5_common.c
++++ b/src/providers/krb5/krb5_common.c
+@@ -34,8 +34,8 @@
+ struct dp_option default_krb5_opts[] = {
+     { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+-    { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
+-    { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
++    { "krb5_ccachedir", DP_OPT_STRING, { "/run/user/%u" }, NULL_STRING },
++    { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc" }, NULL_STRING},
+     { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
+     { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
+     { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+-- 
+1.7.7.6
+

sssd.spec

@@ -16,7 +16,7 @@
 
 Name: sssd
 Version: 1.8.0
-Release: 4%{?dist}.beta3
+Release: 5%{?dist}.beta3
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -26,6 +26,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
 
+Patch1001: FED01-Change-Kerberos-credential-cache-default-loca.patch
+
 ### Dependencies ###
 
 Conflicts: selinux-policy < 3.10.0-46
@@ -419,6 +421,9 @@ fi
 %postun -n libipa_hbac -p /sbin/ldconfig
 
 %changelog
+* Wed Feb 22 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.0-5.beta3
+- Change default kerberos credential cache location to /run/user/<username>
+
 * Wed Feb 15 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.0-4.beta3
 - New upstream release 1.8.0 beta 3
 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3