Authorising via non-root user
Oleksiy Melnyk
Oleksiy.Melnyk at somewhere.kiev.ua
Wed Dec 18 02:56:47 EST 2002
Text that follows is based on guesses based on my experience :).
In order to do an authentication, kerberized service should have an access to
service key. Usually key is stored in a keytab file. By defaults it is
'/etc/keytab', readable by root only. Environment variable KRB5_KTNAME can be
used to secify an other location. So, you have to create a daemon readable
keytab file(by kadmin ktadd with parameters,or play with ktutil), and tell your
daemon where to find it.
It should be independent of KDC - because non-root have no access to KDC's files
and it works:)
Sergei Grigoriev wrote:
> The Unix host running the daemon is not a KDC - does the environment
> variable you quote apply to GSSAPI calls on non-KDC machines also?
More information about the Kerberos
mailing list