Project review: policy refcount elimination
Nico Williams
nico at cryptonector.com
Tue Jan 8 20:14:51 EST 2013
On Tue, Jan 8, 2013 at 11:04 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/08/2013 11:33 AM, Benjamin Kaduk wrote:
>> "A principal which references a nonexistent policy name will behave as
>> if it does not reference a policy" means the default policy, not the
>> "clear" policy, right?
>
> No. The policy named "default" is only the default for the purposes of
> kadmin addprinc (and specifically the kadmin client; that logic is in
> the client, not in libkadm5clnt/libkadm5srv or kadmind).
That might be surprising.
Could you make the kadmin/kadmin.local getprinc command fetch the
princ's policy and display dangling policies? (e.g., "Policy: foo*"
or "Policy: foo [non-existent]")
More information about the krbdev
mailing list