Is KRB5_CONFIG info cached?

Ken Raeburn raeburn at MIT.EDU
Thu Jun 29 17:55:25 EDT 2006


On Jun 29, 2006, at 17:21, Mike Friedman wrote:
> Any ideas about this?  Is there any way to force connection to a  
> specific
> KDC other than using the 'KRB5_CONFIG' environment variable?  (We  
> don't
> use SRV records here, so that's not an option even if it would help in
> this case).

When a krb5_context is created, the current setting for KRB5_CONFIG  
is lookup up and effectively cached.  Actually, we open the listed  
files if they exist, and occasionally go back and check if the files  
we've read have changed; so if a file is listed in KRB5_CONFIG but  
doesn't exist, a context is created, and then the file is created, we  
won't look at it for use in that context.

I don't know what the perl module is doing.

If these KDCs are for two different realms, can you list both config  
files in KRB5_CONFIG?

If you've got one realm name but two different databases and KDCs,  
well, it's going to hurt. :-)
But in 1.5 (betas out already, release expected RSN) we have support  
for a plugin that tells the library where to find the KDC (or certain  
other services) for a realm; you might be able to do something with  
that.  (The sample code for that plugin, not built or compiled  
normally, loads and runs a Python script.  So maybe you can find a  
way to get it to play nice with your Perl script.)

Ken



More information about the Kerberos mailing list