Realm lookups again

Nicolas Williams Nicolas.Williams at
Thu Oct 2 13:08:02 EDT 2008

On Thu, Oct 02, 2008 at 11:56:53AM -0400, Ken Raeburn wrote:
> On Oct 2, 2008, at 11:29, Nicolas Williams wrote:
> >On Thu, Oct 02, 2008 at 11:54:03AM +0200, Mark Phalan wrote:
> >>(As already mentioned by Nico) this could be replaced by looking in  
> >>the
> >>keytab for host's keytab entries and using the realm found there.
> >
> >Note that the keytab lookup can't be done at run-time.  The process
> >doing the lookup may not have the permission to do it.
> True, but such processes are not server processes, they're client  
> processes, so the security impact would be different.  The "keytab  
> entry not found because of wrong realm name" problem can't come up.

Server processes don't care what the default realm is.  Clients,
specifically AS clients, do.

> >So it has to be done at realm-join time.  OpenSolaris has a ralm-join
> >facility, but MIT krb5 does not.
> Yeah, we should fix that.

Yes, you should.

> Want to contribute yours? :)

I'll ask :)

Ours has a lot of Solaris-specific stuff in it (e.g., PAM
configuration).  I'm not sure how portable it can be made.  Also, it's a
KSH script, not a C program.


More information about the krbdev mailing list