Project Review: kinit -C
Nicolas Williams
Nicolas.Williams at oracle.com
Thu Sep 16 17:44:58 EDT 2010
On Thu, Sep 16, 2010 at 04:34:59PM -0400, Sam Hartman wrote:
> >> That would just leave the question of whether pluggable keytab
> >> types are a good idea. :-)
>
> Tom> I think it's a great idea. I'm not sure that we have time to
> Tom> implement it for the 1.9 release.
>
> As do I.
> Especially given that kinit -C ended up being taken and the syntax I
> ended up with was
> kinit -k -t KDB:
> Ken's solution works well.
+1
> I actually thought about a preauth plugin or a locate plugin that
> registered the kdb keytab in its initialization function combined with a
> change to the KDB keytab to take the realm of the KDB as its argument.
> I decided that having preauth plugins or locate plugins as a hook for a
> keytab registration was architecturally impure.
You don't strictly need that realm name argument, though I welcome
it.
IMO there should be a single KDB per-KDC host because: a) one should use
VMs to run distinct realms' KDCs on a single system, b) the KDB
technically can (and _does_, for cross-realm principals anyways) store
entries for principals in more than one realm. So I'd not be upset if
you didn't add that argument.
Nico
--
More information about the krbdev
mailing list