Parameterized search paths for default keytab, ccache
Greg Hudson
ghudson at MIT.EDU
Mon Jun 11 15:58:48 EDT 2012
On 06/11/2012 03:21 PM, Nico Williams wrote:
> Job control session IDs are useless for this purpose. It has to be
> PAGs, keyrings, or similar.
I don't know if we can usefully implement PAGs or keyrings in the
parameterization expansion.
> I think we might be able to just not do this for
> keytab creation (ktadd) -always require that the user specify a keytab
> path-, and as for ccache creation, always create the most-specific one
> that we can create. This causes the container existence idea to be
> implied, which makes it less hackish.
Again, we don't know at krb5_kt_default/krb5_cc_default time whether the
object is going to be created, modified, or merely read from. Consider:
1. krb5_cc_default()
2. krb5_cc_get_name()
3. krb5_cc_initialize()
Step 1 can't return the first ccache it can create--it doesn't have a
client principal yet, nor does it know that the caller is creating a
ccache. And it can't defer the decision as to what ccache it's using,
because the caller can ask for the name before it indicates whether it's
creating or merely using the ccache.
More information about the krbdev
mailing list