Thoughts on initial ticket acquisition/verification on Sun (slightly OT)

Henry B. Hotz hotz at
Wed Nov 16 20:12:01 EST 2005

I just finished an auth plugin for Sun LDAP 5.2 that will accept a  
simple bind username/password and verify it against a K5 server.  It  
carefully does nothing if it's a SASL bind so the native SASL/GSSAPI/ 
K5 bind works as expected, using the native Sun Kerberos libraries.   
It calls the MIT-API routines discussed on this list, so it works  
with either MIT or Heimdal libraries (linked so they don't  
interfere).  It uses the same ldap/... principal and keytab that the  
Sun SASL support uses, and we will configure things so that keytab  
isn't the system one.

Nico suggested that I consider using PAM for this function.  That  
does fill the functionality gap in GSSAPI, but. . .  Sun's pam_krb5  
uses the system keytab and the host/... principal.  There don't seem  
to be any options to change the keytab location and principal used to  
do the verifications.

I think pam_krb5 should let you specify the keytab file and the check  

I think GSSAPI and MIT-API libraries should have an environment  
variable that sets the default keytab file, analogous to KRB5CCNAME.   
The commercial sendmail authproxy uses KRB5_KTNAME.

Alternatively I think the keytab file location could be put in the  
[appdefaults] section of krb5.conf.  Or both.  The point is:  this is  
best practice;  you should support it in the libraries, not require  
every application to program it independently.

 From the Kerberos FAQ, question 5.1:
> Some common mistakes that newbies do when they Kerberize their  
> first client-server application:
> 	1 	They hard-code various things into their code, such as the  
> location of the keytab file, or the server's principal name. Bad  
> ideas.  . . .
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list