Realm lookups again
Nicolas.Williams at sun.com
Thu Oct 2 13:08:02 EDT 2008
On Thu, Oct 02, 2008 at 11:56:53AM -0400, Ken Raeburn wrote:
> On Oct 2, 2008, at 11:29, Nicolas Williams wrote:
> >On Thu, Oct 02, 2008 at 11:54:03AM +0200, Mark Phalan wrote:
> >>(As already mentioned by Nico) this could be replaced by looking in
> >>keytab for host's keytab entries and using the realm found there.
> >Note that the keytab lookup can't be done at run-time. The process
> >doing the lookup may not have the permission to do it.
> True, but such processes are not server processes, they're client
> processes, so the security impact would be different. The "keytab
> entry not found because of wrong realm name" problem can't come up.
Server processes don't care what the default realm is. Clients,
specifically AS clients, do.
> >So it has to be done at realm-join time. OpenSolaris has a ralm-join
> >facility, but MIT krb5 does not.
> Yeah, we should fix that.
Yes, you should.
> Want to contribute yours? :)
I'll ask :)
Ours has a lot of Solaris-specific stuff in it (e.g., PAM
configuration). I'm not sure how portable it can be made. Also, it's a
KSH script, not a C program.
More information about the krbdev