[krbdev.mit.edu #3064] Solaris client and 1.4 kadmind
Nicolas Williams via RT
rt-comment at krbdev.mit.edu
Fri May 20 18:30:52 EDT 2005
On Fri, May 20, 2005 at 03:59:27PM -0400, Sam Hartman via RT wrote:
> I'd like to confirm that we don't have an interop problem if we use
> the non-rpc change password approach?
We don't have such an interop problem, no.
> If we do open up support for this principal, we would need to make
> sure that it was an AS request. Typically we do that with KDC flags;
> I would feel uncomfortable for that with a new principal and so we
> would need a check in kadmind.
The rpcsec_gss APIs in Solaris don't work that way, so you have to rely
on KDC flags.
Even if the rpcsec_gss APIs were better designed, since we're talking
GSS we'd need extensions in order to be able to observe the INITIAL
flag. Can we do that with name attributes?
Nico
--
More information about the krb5-bugs
mailing list