Toolbx set KCM credential cache by default #1734
Description
Describe the bug
By default, toolbx create a file /etc/krb5.conf.d/kcm_default_ccache with the following content:
# Written by Toolbx
# https://containertoolbx.org/
#
# # To disable the KCM credential cache, comment out the following lines.
[libdefaults]
default_ccache_name = KCM:
If you use toolbx to get a Fedora system without setting sssd-kcm outside the container, kinit fail with a error:
kinit: Connection refused while getting default ccache
See https://discussion.fedoraproject.org/t/kinit-connection-refused-while-getting-default-ccache/136323
Debugging show that kinit try to connect to a socket that is absent in /var/tmp, and so fail.
It seems that the function configureKerberos ( see https://github.com/containers/toolbox/blob/431f7f07c744e9243fb94c289be75e05c31ee1b2/src/cmd/initContainer.go#L543C6-L543C23 ) is unconditionally called and will always create the configuration because /etc/krb5.conf always exist on Fedora since it get created as soon as krb5-libs is installed, and this is pulled by openssh-clients, installed by default, see:
[misc@toolbx ~]$ rpm -qf /etc/krb5.conf
krb5-libs-1.21.3-6.fc42.x86_64
[misc@toolbx ~]$ LC_ALL=C rpm -e --test krb5-libs-1.21.3-6.fc42.x86_64
error: Failed dependencies:
libgssapi_krb5.so.2()(64bit) is needed by (installed) libtirpc-1.3.6-1.rc3.fc42.2.x86_64
libgssapi_krb5.so.2()(64bit) is needed by (installed) libssh-0.11.2-1.fc42.x86_64
libgssapi_krb5.so.2()(64bit) is needed by (installed) libcurl-8.11.1-5.fc42.x86_64
libgssapi_krb5.so.2()(64bit) is needed by (installed) openssh-clients-9.9p1-11.fc42.x86_64
libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) is needed by (installed) libtirpc-1.3.6-1.rc3.fc42.2.x86_64
libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) is needed by (installed) libssh-0.11.2-1.fc42.x86_64
libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) is needed by (installed) libcurl-8.11.1-5.fc42.x86_64
libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) is needed by (installed) openssh-clients-9.9p1-11.fc42.x86_64
libk5crypto.so.3()(64bit) is needed by (installed) libtirpc-1.3.6-1.rc3.fc42.2.x86_64
libkrb5.so.3()(64bit) is needed by (installed) libtirpc-1.3.6-1.rc3.fc42.2.x86_64
And while sssd-kcm is installed on my Fedora system, it doesn't start because it can't read its configuration (which I didn't need to until now). So this could have been working fine in the past, but failed due to a change in sssd.
So I think that toolbx shouldn't rely on sssd-kcm to be running without checking that first, as it could be used where it is not setup (eg, a non Fedora distro, or my installation ).
Steps how to reproduce the behaviour
- Run
toolbox create test -d fedora -r 42 - Run
toolbox enter test - Run
sudo dnf install fedora-packager-kerberos - Run
klist - See error
Expected behaviour
Klist (or kinit or anything) should work and not stop with a error on the cache.
Actual behaviour
klist (or kinit, or others) show a error:
kinit: Connection refused while getting default ccache
Output of toolbox --version (v0.0.90+)
$ toolbox --version
toolbox version 0.2
Toolbx package info (rpm -q toolbox)
$ rpm -q toolbox
toolbox-0.2-1.fc42.x86_64
Output of podman version
e.g.,
Client: Podman Engine
Version: 5.5.2
API Version: 5.5.2
Go Version: go1.24.4
Git Commit: e7d8226745ba07a64b7176a7f128e4ef53225a0e
Built: Tue Jun 24 02:00:00 2025
Build Origin: Fedora Project
OS/Arch: linux/amd64
Podman package info (rpm -q podman)
podman-5.5.2-1.fc42.x86_64
Info about your OS
A bootc image of Fedora silverblue 42. If this matter, the Dockerfile is here: https://github.com/mscherer/custom_silverblue/blob/main/Dockerfile but besides adding and removeing package, I do not think I have made anythink that would impact this problem.