kinit -S and krb 1.6
Mark.Phalan at Sun.COM
Mon Jul 30 18:03:32 EDT 2007
On 30 Jul 2007, at 23:37, Sam Hartman wrote:
>>>>>> "Mark" == Mark Phalan <Mark.Phalan at Sun.COM> writes:
> Mark> Unless the krb5.conf file is properly populated (and no
> Mark> fallbacks are being used) "kinit -S" is essentially rendered
> Mark> useless.
> I've always viewed kinit -s as an incredibly special purpose function
> that required you have complete control of the resulting credentials
> and their use.
The problem is not confined to kinit -S. Its true of any application
obtaining an initial service ticket and then trying to use the cached
ticket later on. That initial cached ticket will be stored with the
realm set. Later searches of the cred-cache will fail if a fallback
method for realm determination is being used.
kadmin on Solaris/OpenSolaris also fails to work in a "fallback"
environment. I haven't yet tested MIT's kadmin but I inclined to
think it will also fail if it can be made to use rpcsec_gss.
As krb5_get_init_creds() is a public interface other apps may be at
risk here too.
> I think it might be reasonable to allow kinit -s host/foo.com@ to work
> but I don't think it a requirement to provide a mechanism for knowing
> whether a realm should be specified or not.
I'm inclined not to special case the empty realm. Nico's suggestion
(store creds for both an empty realm and the actual realm) would seem
to provide a more consistent interface and work in all scenarios.
More information about the krbdev