Is KRB5_CONFIG info cached?
mikef at ack.Berkeley.EDU
Thu Jun 29 19:41:07 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 29 Jun 2006 at 18:43 (-0400), Marcus Watts wrote:
> As long as the KDCs are in different realms, you ought to be able to use
> one context, and one KRB5_CONFIG file, to access both.
But each time I call my subroutine, I get a new context.
> As it happens, I've been using Jeff's code for some other stuff.
> So, at a closer look at Jeff Horwitz's code, looks like he expects
> Authen::Krb5::init_context(). He's got this right before:
> if (context) croak("Authen::Krb5 already initialized");
I ran into this problem a while back and contacted Jeff about it. He
suggested the fix you mentioned (to free_context()), which I implemented.
So I don't have the problem of the context hanging around, because I do a
free_context() at the end of my subroutine.
> If these KDCs are for two different realms, can you list both config
> files in KRB5_CONFIG?
But then how do I get the *default realm* set correctly? In my script, I
do a parse_name() to create a principal object corresponding to the TGS
service principal (e.g., krbtgt/<realm>@<realm>). (It's this principal
object that I must pass to get_in_tkt_with_password()). And,
unfortunately, parse_name() complains if my config file doesn't have a
default realm, so defining both realms in the [realms] stanza doesn't do
me any good. But if I do define a default realm, then that's the KDC to
which I get connected, regardless of the realm name I specify when
constructing the TGS service principal name itself.
So, it seems I need to point to a different config file each time I want
to go to a different KDC. And, I don't know any way except the
KRB5_CONFIG environment variable to do it from within my subroutine code.
But given that I get a new context each time, why can't I reset the value
of KRB5_CONFIG on each call and have it be honored? This is the crux of
the matter, apparently.
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----
More information about the Kerberos