adclient.krb5.ccache.dir

The adclient.krb5.ccache.dir parameter specifies the directory where Kerberos ccache files are stored when krb5.cache.type is FILE.

This is useful when kerberos applications in docker containers use the kerberos cache files. This parameter, in conjunction with adclient.krb5.ccache.dir.secure.usable.check enables volume bind mapping so that kerberos cache files in the host OS are available to the docker containers.

Default is empty string.

  • If adclient.krb5.ccache.dir is not configured or set to default empty string, then:

    The system default ccache directory is used. If a default_ccache_name exists in the [libdefaults] stanza of krb5.conf, it is removed.

  • If adclient.krb5.ccache.dir is specified, AND adclient.krb5.ccache.dir.secure.usable.check is false, then:

    The specified directory is used for the default_ccache_name in the [libdefaults] stanza of krb5.conf.

  • If adclient.krb5.ccache.dir is specified, AND adclient.krb5.ccache.dir.secure.usable.check is true, BUT the kerberos cache directory is neither secure nor usable, then:

    The system default ccache directory is used. If a default_ccache_name exists in the [libdefaults] stanza of krb5.conf, it is removed.

  • If adclient.krb5.ccache.dir is specified, AND adclient.krb5.ccache.dir.secure.usable.check is true, AND the kerberos cache directory is secure and usable then:

    The specified directory is used for the default_ccache_name in the [libdefaults] stanza of krb5.conf.

    Note: When the ccache type is KCM, the klist lists KCM caches and file ccaches under the system default ccache directory. If the ccachedirectory is changed when ccache type is FILE, the newly created file ccaches might not be listed when ccache type is switched to KCM.

adclient.krb5.ccache.dir.secure.usable.check

The adclient.krb5.ccache.dir.secure.usable.check parameter specifies whether to perform a secure and usability check on a configured Kerberos ccache directory. Only used when adclient.krb5.ccache.dir set. Options are:

  • false — Default. No action taken.

  • true — If adclient.krb5.ccache.dir is configured, then adclient.krb5.ccache.dir.secure.usable.check checks the specified directory.

For the kerberos cache directory to be secure and usable it must meet the following criteria:

  • the directory exists

  • the directory is not a symlink

  • the directory is root owned

  • the directory is world writable and has sticky bit set