Created attachment 189892 [details] patch to allow linking against different kerberos implementations The krb5_ccname option in nslcd.conf for kerberos authentication has no effect. This port always links against the base kerberos (heimdal). In addition to the upstream documentation saying that only MIT kerberos is tested (https://arthurdejong.org/nss-pam-ldapd/HACKING), when linking against heimdal, the krb5_ccname option appears to have no effect. According to the debug logs, /tmp/krb5cc_928 is always used as the ticket cache. Exporting the KRB5CCNAME environment variable also did not work. This issue was resolved when I linked against MIT's kerberos. I've attached a diff of the port's Makefile to allow choosing which Kerberos implementation to link against. I have only tested this with MIT kerberos.
This is not a bug in nslcd. This is actually the intended behavior of both heimdal and MIT kerberos libraries when called from a process that has called setuid(). The krb libraries consider the process "tainted" (due to the potential for exploiting setuid root binaries) and no longer trust the KRB5 environmental variables. The source code of nslcd simply uses the krb5_ccname option to set the KRB5CCNAME environment variable, which does not work if nslcd drops privileges. Basically any other program which drops privileges from root will have this issue (and there are many). Closing because the behavior, while confusing, is the intended behavior of the Heimdal and MIT KRB5 libraries.