Zero-length entry in a keytab: why?!

kerberos@noopy.org kerberos at noopy.org
Thu Oct 8 21:16:50 EDT 2009


On Fri, Sep 18, 2009 at 7:17 AM, Nathan Patwardhan <noopy.org at gmail.com> wrote:
> On Thu, Sep 17, 2009 at 8:34 PM, Ezra Peisach <epeisach at mit.edu> wrote:
>
>> b) You mention a vendor app writing such a keytab with holes - care to
>> mention who? I suspect they might have extended their definition of a keytab
>> in a non-standard way... You can ask the vendor...
>
> Centrify.

I resolved this issue a couple of weeks ago.  I cannot say 100% what
Centrify does behind the scenes to create a keytab but I *can* say
that their implementation spewed a bunch of NULL records from their
keytab when I bumped up the debugging in my code -- or at least their
NULL stuff that wasn't on spec with either MIT or Heimdal keytab
formats -- such that I had a problem parsing Centrify-created keytabs
reliably with my code.

I ended up skipping these NULL records and comparing 'klist -k -e -K
-t' of my generated keytab (based on parsing the Centrify keytab and
excluding about many lines of NULLs) versus the Centrify keytab and
everything matched up.  I am convinced that there's just some
weirdness going on with Centrify keytab creation and I will file a bug
report with them, in particular since their keytab was 10k and my
rendition of the same was 2k.

-- 
K



More information about the Kerberos mailing list