tree: 2732487a36d2401688425aac7a50e241ac208d3d [path history] [tgz]
  1. dbus/
  2. dbus_bindings/
  3. init/
  4. proto/
  5. seccomp/
  6. setuid_restrictions/
  7. account_manager.cc
  8. account_manager.h
  9. account_manager_test.cc
  10. BUILD.gn
  11. config_parser.cc
  12. config_parser.h
  13. config_parser_fuzzer.cc
  14. config_parser_fuzzer.dict
  15. config_parser_test.cc
  16. error_strings.cc
  17. error_strings.h
  18. fake_krb5_interface.cc
  19. fake_krb5_interface.h
  20. kerberos_adaptor.cc
  21. kerberos_adaptor.h
  22. kerberos_adaptor_test.cc
  23. kerberos_daemon.cc
  24. kerberos_daemon.h
  25. kerberos_metrics.cc
  26. kerberos_metrics.h
  27. kerberos_metrics_test.cc
  28. kerberosd_main.cc
  29. krb5_interface.h
  30. krb5_interface_impl.cc
  31. krb5_interface_impl.h
  32. krb5_interface_impl_test.cc
  33. krb5_jail_wrapper.cc
  34. krb5_jail_wrapper.h
  35. krb5_jail_wrapper_test.cc
  36. OWNERS
  37. platform_helper.cc
  38. platform_helper.h
  39. README.md
  40. tgt_renewal_scheduler.cc
  41. tgt_renewal_scheduler.h
  42. tgt_renewal_scheduler_test.cc
kerberos/README.md

Kerberos

This directory contains the Kerberos service, which provides functionality for getting and managing Kerberos tickets. It is used by Chrome to provide Kerberos Single-SignOn (SSO). Think of it as a fancy wrapper around kinit, kpasswd and klist.

The service is started by Chrome on demand, e.g. when the user navigates to the Kerberos Accounts settings page or when accounts are added by the KerberosAccounts policy. Note that in any case the kerberos.enabled pref has to be enabled. The KerberosEnabled policy maps to that pref.

The service is conceptually similar to the AuthPolicy service, with partly overlapping responsibilities like getting Kerberos tickets for users and auto- renewing tickets. There are many differences, though:

  • The AuthPolicy service is used on Active Directory managed devices. The Kerberos Service is used on cloud managed devices and possibly in the future on consumer devices.

  • AuthPolicy is started on the login screen since online authentication means getting a Kerberos ticket. The Kerberos service runs within a user session only.

  • AuthPolicy has many more responsibilities like joining the device to an Active Directory domain and fetching user and device policy.