Question about krb5_kuserok() and .k5login
g.w@hurderos.org
g.w at hurderos.org
Thu Mar 3 10:46:09 EST 2005
On Feb 26, 6:54pm, Sam Hartman wrote:
} Subject: Re: Question about krb5_kuserok() and .k5login
Good morning to everyone, hope the day is going well.
> I believe the MIT behavior is correct. You need a way of saying that
> for a particular local account that the default Kerberos realm's
> principal by that name is not allowed to log in.
>
> Otherwise it is problematic to have machines where the local
> authorization policy does not map well to the Kerberos realm's account
> policy.
I've watched with a bit of, vested of course, interest the
conversations as of late on the behavior of krb5_kuserok and other
Kerberos authorization issues. Anything surrounding authorization
and/or identity translation with respect to Kerberos are of interest
to our project.
I just spent my free time over the last couple of weeks teaching the
KDC how to do self-initiated credential generation in order to more
seamlessly support the required synergies between OpenLDAP and the
KDC. This has raised a couple of issues that I need to go back and
address in the krb5_plugin architecture.
As long as we are headed in that direction would it make sense to the
Kerberos community for us to begin looking at the issues that would
need to be addressed with providing an alternate fulfillment hook for
krb5_kuserok? Considering the discussions on the topic, extending
functionality for krb5_kuserok would seem to be an obvious candidate
for inclusion into the plug-in architecture.
Any comments or suggestions would be welcome.
> --Sam
Best wishes for a productive end of the week to everyone.
}-- End of excerpt from Sam Hartman
As always,
Dr. Greg 'GW' Wettstein
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
http://www.hurderos.org
More information about the Kerberos
mailing list