Client keytab ignored when CC has expired
Michael Osipov
1983-01-06 at gmx.net
Thu Jul 31 17:25:51 EDT 2014
Am 2014-07-31 um 17:52 schrieb Greg Hudson:
> On 07/31/2014 03:24 AM, Michael Osipov wrote:
>> That sounds reasonable and should solve the issue. Albeit, I do think that the detection
>> algorithm could be better and pursue a best-effort/match/seldom-fail approach. It make the
>> entire process idiot-proof.
>
> I have opened a ticket for this:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7976
Great, waiting for this in 1.13 eagerly.
> I'm not sure if the process can be made completely idiot-proof, but it
> can certainly work better for the case where someone manually obtains
> credentials for the same principal as the one in the client keytab.
It would be better, at least.
> If a person gets credentials for a different principal, it's harder to be
> predictable.
If principals do not match, I would it expect to fail explicitly. Unless
someone uses a DIR-style CC and knows how to operate with kswitch.
Michael
More information about the Kerberos
mailing list