need project review
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Apr 7 11:28:00 EDT 2008
--On Friday, April 04, 2008 03:18:57 PM -0500 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Fri, Apr 04, 2008 at 03:00:41PM -0500, Nicolas Williams wrote:
>> IMO we should deprecate stash files altogether. That should make this
>> issue go away -- what's the point of having a stash file if nothing will
>> read it?
>
> I should clarify. I think that the only thing that reads stash files
> should be the tool that migrates them to keytab file entries. That
> could be built-in to krb5kdc and kadmind, or it could be a standalone
> tool. Either way the stash file should be read once, migrated, and
> removed or ignored thereafter.
If you do that, then a tool to convert back becomes essential, instead of
just useful. It should not ever be the case that merely running a new KDC
or kadmind results in my stash file or database being automatically
converted to a format that will not work with the version I was running a
few minutes ago and might need to revert to.
Personally, I'm very wary of gratuitous automatic conversion. It would be
fine to convert to the new format when a feature is used that makes it
necessary, but doing it just because the new code ran is asking for trouble.
More information about the krbdev
mailing list