question about MIT kpasswd and RPCSEC_GSS
Will Fiveash
will.fiveash at oracle.com
Wed Jan 21 18:17:28 EST 2015
On Wed, Jan 21, 2015 at 05:22:43PM -0500, Tom Yu wrote:
> Will Fiveash <will.fiveash at oracle.com> writes:
>
> > When talking to a older Solaris KDC that only supports the RPCSEC_GSS
> > protocol for change password request, will the current MIT kpasswd
> > command just work or does it require some non-default configuration
> > (some parameter set in krb5.conf)?
>
> My recollection is that we used to have a different kpasswd client
> program (dating back to the OV*Secure contribution, maybe) that did
> speak the kadm5 RPC protocol, but removed it. Now we only have a
> kpasswd client that speaks the kpasswd protocol.
Thanks, I was looking through some older notes I made about this and the
code and felt I had entered a maze of twisty passages that all looked
alike. Anyway (to make sure I'm clear) it's my understanding that MIT
back in 1.4 added support for kadmin/kadmind communication via
RPCSEC_GSS which made MIT kadmin compatible with Solaris kadmind. My
notes on this also implied that the MIT kpasswd was updated to use
RPCSEC_GSS or SET_CHANGE:
MIT supports a SET_CHANGE protocol for changing password. In 1.4
they added support for our RPCSEC_GSS protocol.
It could be that I was mistaken about this which prompted my earlier
question.
--
Will Fiveash
Oracle Solaris Software Engineer
More information about the Kerberos
mailing list