Authorising via non-root user

Oleksiy Melnyk Oleksiy.Melnyk at
Wed Dec 18 02:56:47 EST 2002

Text that follows is based on guesses based on my experience :).

In order to do an authentication, kerberized service should have an access to 
service key. Usually key is stored in a keytab file. By defaults it is 
'/etc/keytab', readable by root only. Environment variable KRB5_KTNAME can be 
used to secify an other location. So, you have to create a daemon readable 
keytab file(by kadmin ktadd with parameters,or play with ktutil), and tell your 
daemon where to find it.
It should be independent of KDC - because non-root have no access to KDC's files 
and it works:)

Sergei Grigoriev wrote:
> The Unix host running the daemon is not a KDC - does the environment
> variable you quote apply to GSSAPI calls on non-KDC machines also?

More information about the Kerberos mailing list