On Tue, Jul 25, 2017 at 11:20:21AM +0000, Ondrej Valousek wrote:
Out of interest: What is the difference between KCM and the gssproxy service?
So I don't know much about gssproxy to be honest, but if I understand it correctly, gssproxy provides access to Kerberos key material like keytabs to services like NFS's gssproxy.
KCM is a storage for credentials that you acquire from KDC, for example during kinit or during a PAM password login. Normally, on RHEL-6, the credentials are stored in a flat file, on RHEL-7 in the kernel keyring. KCM is another storage, which is backed by a deamon.
The upside of using the deamon is that it's stateful so it can do things like renewals regardless of whether the ticket comes through SSSD or kinit. The deamon can also provide notifications to desktop and runs in userspace, so it's better suited for containers (More details can be found in the design page hopefully)
The downside is of course more complexity and therefore more things that can go wrong especially compared to a flat and dumb file..