porting CCAPI to UNIX

Nicolas Williams Nicolas.Williams at sun.com
Wed May 2 18:57:14 EDT 2007

On Wed, May 02, 2007 at 06:14:03PM -0400, Ken Raeburn wrote:
> On May 2, 2007, at 18:08, Russ Allbery wrote:
> > This is a very obvious question, I know, but have you looked at how
> > Heimdal handles this for KCM?
> >
> > It looks like they start kcm as a daemon from the system init scripts,
> > which I think is a better solution then mucking about with inetd.
> I've been assuming we probably don't want a process running if no one  
> on the system has any Kerberos credentials.  Maybe I'm wrong....

On Solaris 10U4 you'll see that nscd/nss_ldap can be configured to
support "self-credentialled" LDAP lookups, in which case the main nscd
forks off per-user nscd instances as needed.

We may follow a similar model for gssd and ktkt_warnd (which might even
become the credential daemon for krb5) in the future.

You may want to consider this model as well for the credentials daemon.

It may also be good to deal with the rcache through IPC to a daemon as


More information about the krbdev mailing list