Default client keytab name

Greg Hudson ghudson at MIT.EDU
Mon Jul 23 11:02:06 EDT 2012

On 07/23/2012 09:33 AM, Sam Hartman wrote:
> 1) I'd prefer username based to uid-based for the default. That's easier
> to deal with most of the time

That's a little contrary to other discussions we've had on this issue,
given that username can have several different meanings ($USER,
$LOGNAME, getpwuid(getuid()), getpwuid(geteuid()), wtmp lookup), and
systemd decided to switch to uid-based per-user directories.

The parameterization framework we borrowed from Heimdal has support for
uid (using getuid(), so real uid) but not username.  We could add
username support, of course, but then we have to figure out exactly what
it means.

> 2) The file extension sshould be keytab not client-keytab.
> You can have a multi-part name if you like krb5.client.keytab or
> whatever, but the last part should be keytab.

That's fine.  Perhaps just "client.keytab".

> I agree that root would be desirable to treat specially, but don't think
> that's an absolute requirement.

>From an end-user perspective, I think that would be fine, but I'm not
sure if this can be elegantly implemented.  The default name is
parameterized, not conditionalized, so we'd either be new concepts
(default keytab name for root, default client keytab name for root) or
adding conditionalization support to the default name somehow.

(Also, does "root" mean ruid is 0 or euid is 0?)

More information about the krbdev mailing list