rpcsec_gss, kadmind service principal, etc.

Sam Hartman hartmans at MIT.EDU
Mon Dec 9 13:37:01 EST 2002

>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:

    Kevin> Since I
    Kevin> made the above incompatible change, I didn't see the need
    Kevin> to continue to support the older service names.  This is
    Kevin> causing problems trying to run the unit tests since they
    Kevin> run the OV kpasswd program which requires kadmind to handle
    Kevin> 'kadmin/changepw' as well.  Should I be worrying about
    Kevin> this?

Yes.  Quoting  the set-change-password draft:

   AP-REQ data: (see [3]) For a change password/key request, the AP-REQ
   message service ticket sname, srealm principal identifier is
   kadmin/changepw at REALM where REALM is the realm of the change password
   service. The same applies to a set password/key request except the
   principal identifier is kadmin/setpw at REALM. The authenticator in the
   AP-REQ MUST contain a subsession key (which will be used to encrypt

You'll break all existing change password services if you don't
support kadmin/changepw.  I'm not sure what I think about kadmin/fqdn
instead of kadmin/admin.  I think that may cause problems if we ever
go to multi-master admin servers.

More information about the krbdev mailing list