krb5 library missing functions for collections

Greg Hudson ghudson at mit.edu
Thu Aug 15 12:21:20 EDT 2019


On 8/15/19 10:01 AM, Charles Hedrick wrote:
> I can actually do the combination of MIT libkrb5 and Heimdal KCM. I’m assuming that the Mac has a normal Heimdal KCM.

It appears they differ in this regard.  The kcm_access() function
determines which clients see which caches, and the implementations are
totally different in the upstream and Apple-customized Heimdal versions.
 The two versions can be seen here:

https://opensource.apple.com/source/Heimdal/Heimdal-520.220.2/kcm/acl.c.auto.html
https://github.com/heimdal/heimdal/blob/master/kcm/acl.c#L38

Apple's version only allows root to see "system" and root-owned caches,
while upstream Heimdal's allows it to see everything.


More information about the Kerberos mailing list