regression due to referral realm
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Feb 5 12:27:51 EST 2009
On Feb 5, 2009, at 8:30 AM, Nicolas Williams wrote:
> On Wed, Feb 04, 2009 at 12:15:24PM -0800, Henry B. Hotz wrote:
>> As a tangental nit, I wish the list of supported enctypes sent by
>> krb5_get_init_creds_keytab() was limited to those actually in the
>> keytab file (that are also supported by the library in question of
>> course). Since this has been discussed in the past, it's possible
>> you-
>> all have taken care of it, and I'm out of date.
>
> That's a separate issue, and not necessarily a bug: as long as the
> keytab and the KDB entry for that princ ar in sync there's no problem.
I agree, if the keytab is created by direct extraction from the KDB,
then synchronization is likely.
However, there are a lot of reasons why that might not be true. You
may extract with a different code base from your intended app (think
Java 1.4.2 for instance), or you may need SA's to create keytabs
directly from passwords.
> Also, IIRC you can affect this via default_*_enctypes.
This solution is too global, usually.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list