db_invoke

Nikhil Mishra ls.niks at gmail.com
Mon Feb 2 00:12:56 EST 2009 

Thanks Luke and I understand the purpose of db_invoke .

But then as I understand, for constrained delegation to work on kdc side,
db_invoke has to be implemented or at least in some form
check_allowed_to_delegate_to should be able to call some db function to
check given service principal is allowed to delegate to given proxy_princ .

Is there any such db function as of now ?

If I understand it correctly from previous email exchanges constrained
delegation should work on kdc side for MIT kerberos ?
Do we need some modifications in calling functions as I dont see it working
with db_invoke ?


--Nikhil

On Mon, Feb 2, 2009 at 2:02 AM, Luke Howard <lukeh at padl.com> wrote:

> Nikhil,
>
> db_invoke is an extra layer of indirection, I added this initially so that
> interfaces between the KDC and backend could be easily added without
> changing the kdb dispatch table (principally to ease merges when this code
> was proprietary). Whether this approach is still valid is open to debate.
>
> There is no implementation in any of the backends shipped with MIT; you'll
> need to implement this yourself.
>
> -- Luke
>
>
> On 02/02/2009, at 5:51 AM, Nikhil Mishra wrote:
>
>  Hi All ,
>>
>>
>> How is this function working ?
>>
>> check_allowed_to_delegate_to
>>
>> calls
>>
>> code = krb5_db_invoke(context,
>>                         KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE,
>>                         &req_data,
>>                         &rep_data);
>>
>>
>> and in my case dal_handle->lib_handle->vftabl.db_invoke is always NULL .
>>
>> if (dal_handle->lib_handle->vftabl.db_invoke == NULL) {
>>       status = KRB5_KDB_DBTYPE_NOSUP;
>>       goto clean_n_exit;
>>   }
>>
>>
>> I dont see any implementation for db_invoke as well .
>> Do we need to implement db_invoke and If so , why do I see it being called
>> at multiple places ?
>>
>> --Nikhil
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
> --
> www.padl.com | www.fghr.net
>
>

More information about the krbdev mailing list