Question about krb5_kuserok() and .k5login
Michael Calmer
mc at suse.de
Thu Feb 24 06:25:54 EST 2005
Hi,
I have compared the krb5_kuserok() function of MIT kerberos and heimdal.
I found out, that both implementations act different in case of an
existing .k5login file.
heimdal:
- compare principal with local account
=> if match, return TRUE
- evaluate .k5login
MIT:
- if .k5login does not exist {
* compare principal with local account
=> if match, return TRUE
}
- evaluate .k5login
The problem with the MIT version is (using pam_krb5):
- if the user itself is not part of his own .k5login file the account seems to
be not usable anymore.
- the user can not login
- it seems, that users which have there principals in this .k5login file,
can also not log in as this user. (tested with ssh - user was asked for the
password of the destination user)
I am looking for the reason why both implementations differ?
Thanks for any insight on this question.
--
MFG
Michael Calmer
--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nürnberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575 - Michael.Calmer at suse.com
--------------------------------------------------------------------------
More information about the Kerberos
mailing list