From 940002ca21abde53ad81df622d1f4dd3b5e8e014 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 30 Nov 2018 13:34:22 +0100 Subject: [PATCH 20/23] SECRETS: Don't limit the global number of ccaches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related: https://pagure.io/SSSD/sssd/issue/3386 In the KCM context, the global number of ccaches would limit the number of users who can store their ccaches in the KCM deamon. In more detail, the options have the following semantics with KCM: - DEFAULT_SEC_KCM_MAX_SECRETS - global number of secrets, would cover both how many ccaches can a user store, but this is better served with DEFAULT_SEC_KCM_MAX_UID_SECRETS - DEFAULT_SEC_KCM_MAX_UID_SECRETS - how many 'principals' can a user kinit with - DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE - the payload size of service tickets With the above in mind, I think the most important limits are max_uid_secrets to limit and the payload size to constraint how much space can a user occupy and it doesn't make much sense to limit the global quota. Reviewed-by: Michal Židek --- src/util/secrets/secrets.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h index 31164bd86..9cf397516 100644 --- a/src/util/secrets/secrets.h +++ b/src/util/secrets/secrets.h @@ -39,7 +39,7 @@ * but the secret size must be large because one secret in the /kcm * hive holds the whole ccache which consists of several credentials */ -#define DEFAULT_SEC_KCM_MAX_SECRETS 256 +#define DEFAULT_SEC_KCM_MAX_SECRETS 0 /* unlimited */ #define DEFAULT_SEC_KCM_MAX_UID_SECRETS 64 #define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536 -- 2.20.1