Is KRB5_CONFIG info cached?

Mike Friedman mikef at ack.Berkeley.EDU
Thu Jun 29 19:41:07 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 29 Jun 2006 at 18:43 (-0400), Marcus Watts wrote:

> As long as the KDCs are in different realms, you ought to be able to use 
> one context, and one KRB5_CONFIG file, to access both.

Marcus,

But each time I call my subroutine, I get a new context.

> As it happens, I've been using Jeff's code for some other stuff.
>
> So, at a closer look at Jeff Horwitz's code, looks like he expects 
> Authen::Krb5::init_context().  He's got this right before:
> 	if (context) croak("Authen::Krb5 already initialized");

I ran into this problem a while back and contacted Jeff about it. He 
suggested the fix you mentioned (to free_context()), which I implemented. 
So I don't have the problem of the context hanging around, because I do a 
free_context() at the end of my subroutine.

Ken,

You said,

> If these KDCs are for two different realms, can you list both config 
> files in KRB5_CONFIG?

But then how do I get the *default realm* set correctly?  In my script, I 
do a parse_name() to create a principal object corresponding to the TGS 
service principal (e.g., krbtgt/<realm>@<realm>).  (It's this principal 
object that I must pass to get_in_tkt_with_password()).  And, 
unfortunately, parse_name() complains if my config file doesn't have a 
default realm, so defining both realms in the [realms] stanza doesn't do 
me any good.  But if I do define a default realm, then that's the KDC to 
which I get connected, regardless of the realm name I specify when 
constructing the TGS service principal name itself.

So, it seems I need to point to a different config file each time I want 
to go to a different KDC.  And, I don't know any way except the 
KRB5_CONFIG environment variable to do it from within my subroutine code.

But given that I get a new context each time, why can't I reset the value 
of KRB5_CONFIG on each call and have it be honored?  This is the crux of 
the matter, apparently.

Mike

_________________________________________________________________________
Mike Friedman                        System and Network Security
mikef at ack.Berkeley.EDU               2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://socrates.berkeley.edu/~mikef  http://security.berkeley.edu
_________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBRKRlFq0bf1iNr4mCEQLQHQCgxz3mmbhs+OrzL/ZQhZktn3bjU50An0Hf
qj1COxhUJfhwQIG9R6T8/Lxj
=011B
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list