Realm lookups again
Ken Raeburn
raeburn at MIT.EDU
Thu Oct 2 11:56:53 EDT 2008
On Oct 2, 2008, at 11:29, Nicolas Williams wrote:
> On Thu, Oct 02, 2008 at 11:54:03AM +0200, Mark Phalan wrote:
>> (As already mentioned by Nico) this could be replaced by looking in
>> the
>> keytab for host's keytab entries and using the realm found there.
>
> Note that the keytab lookup can't be done at run-time. The process
> doing the lookup may not have the permission to do it.
True, but such processes are not server processes, they're client
processes, so the security impact would be different. The "keytab
entry not found because of wrong realm name" problem can't come up.
> So it has to be done at realm-join time. OpenSolaris has a ralm-join
> facility, but MIT krb5 does not.
Yeah, we should fix that.
Want to contribute yours? :)
Ken
More information about the krbdev
mailing list