Is KRB5_CONFIG info cached?
Ken Raeburn
raeburn at MIT.EDU
Thu Jun 29 17:55:25 EDT 2006
On Jun 29, 2006, at 17:21, Mike Friedman wrote:
> Any ideas about this? Is there any way to force connection to a
> specific
> KDC other than using the 'KRB5_CONFIG' environment variable? (We
> don't
> use SRV records here, so that's not an option even if it would help in
> this case).
When a krb5_context is created, the current setting for KRB5_CONFIG
is lookup up and effectively cached. Actually, we open the listed
files if they exist, and occasionally go back and check if the files
we've read have changed; so if a file is listed in KRB5_CONFIG but
doesn't exist, a context is created, and then the file is created, we
won't look at it for use in that context.
I don't know what the perl module is doing.
If these KDCs are for two different realms, can you list both config
files in KRB5_CONFIG?
If you've got one realm name but two different databases and KDCs,
well, it's going to hurt. :-)
But in 1.5 (betas out already, release expected RSN) we have support
for a plugin that tells the library where to find the KDC (or certain
other services) for a realm; you might be able to do something with
that. (The sample code for that plugin, not built or compiled
normally, loads and runs a Python script. So maybe you can find a
way to get it to play nice with your Perl script.)
Ken
More information about the Kerberos
mailing list