Presence/absence of the keytab

[Marcus Watts]

> From: Russ Allbery <rra at stanford.edu>
> Subject: Re: Presence/absence of the keytab
> Date: Fri, 05 May 2006 22:52:19 -0700
> Organization: The Eyrie
> Message-ID: <87odybem3w.fsf at windlord.stanford.edu>
> References: <m2k68z4wn1.fsf at darwin.oankali.net>
> To: kerberos at MIT.EDU
> 
> Marcus Watts <mdw at umich.edu> writes:
> 
> > Or it could be using the kerberos 5 library call
> > krb5_verify_init_creds() to do the same thing.  In the latter case there
> > is in fact an option to control what happens when the keytab is missing.
> > There are two ways to invoke this:
> 
> > 	/1/ compile-time configuration: add logic:
> > 		add variable, type: krb5_verify_init_creds_opt
> > 		initialize with
> > 			krb5_verify_init_creds_opt_init
> > 		use krb5_verify_init_creds_opt_set_ap_req_nofail
> > 			to set KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.
> > 		pass as last parm to krb5_verify_init_creds
> 
> > 	/2/ run-time configuration:
> > 		add [libdefaults]
> > 			verify_ap_req_nofail = TRUE
> > 		to krb5.conf
> 
> > At a quick glance, the "libpam-krb5 1.2.0" that comes with debian linux
> > does the former - hardcoded logic.  Doesn't seem to be any way to make
> > it give up if no keytab is present, but there is a debug option that
> > will cause it to log helpful text when various errors occur, including
> > no keytab.
> 
> Is this run-time configuration supported with both MIT Kerberos and
> Heimdal?  If so, I can modify Debian's libpam-krb5 to use that approach
> instead (since it looks like I'm going to end up being the upstream
> maintainer of that fork of the code anyway since we need it at Stanford
> and I need to add and fix a bunch of bits in it anyway).
...

Looks to me like heimdal has supported both krb5_verify_init_creds&friends,
and "verify_ap_req_nofail" since at least 0.6.4.

				-Marcus