A patch to support S4U2proxy in db2 module

Nico Williams nico at cryptonector.com
Thu Jul 5 07:55:00 EDT 2012

I had a chat with Tom about what to do with policy.

We seemed to conclude that we'll want to make policy extensible, then
extend it.  This is known as a medium-to-large project, I'm sure:

 - new RPCs will be needed;

 - the policy DB format will necessarily change;

 - a new dump format will be needed;

 - trivial rollback of upgrades may no longer be possible,
   requiring instead a DB conversion.

Once that's done (if anyone ever gets to it), then all sorts of
operations at the kadm5srv or kdb layers may need to be remapped to
modifications of policy objects.  Having a princ string attr
validator/remapper in place by then will help.


More information about the krbdev mailing list