krb5.conf.kcm.socket.path

 

The krb5.conf.kcm.socket.path parameter specifies an alternate socket path for the KCM server. It applies when krb5.cache.type is KCM.

This is useful, as it allows you to configure an alternative kcm socket path, for example, /var/centrifydc. Using an alternative socket path then allows the socket to be shared between docker hosts and docker containers. It requires adreload after a change in value.

  • When the parameter is an empty string (default), the default path /var/run/.centrify-kcm-socket is used.
  • When the parameter is set to an non-empty string AND krb5.conf.kcm.socket.path.secure.usable.check is false, then this socket path is used without secure and usable check.

  • When the parameter is set to an non-empty string AND krb5.conf.kcm.socket.path.secure.usable.check is true, then the configured socket path is checked to see if it is valid:

    • If the socket path is valid, this configured socket path is used.
    • If the socket path is not valid, the default socket path, /var/run/.centrify-kcm-socket, is used.

To change the socket path:

  1. In centrifydc.conf, set krb5.conf.kcm.socket.path to a valid path.

  2. If the configured kcm socket path is not secure, but you still want to use it, ensure the parameter, krb5.conf.kcm.socket.path.secure.usable.check, is false.

  3. Run adreload.

krb5.conf.kcm.socket.path.secure.usable.check

The krb5.conf.kcm.socket.path.secure.usable.check parameter specifies whether to perform a secure and usable check on the alternate socket path for the KCM server. This parameter works in conjunction with krb5_conf_kcm_socket_path. Options are:

  • false — Default. No action taken.
  • true — If krb5.conf.kcm.socket.path is configured, then krb5.conf.kcm.socket.path.secure.usable.check checks the specified directory.

A socket path is valid when it meets the following criteria:

  • the parent directory exists
  • the parent directory is not a symlink
  • the parent directory is writable by root only
  • the socket path does not exist, or it exists but it is not directory