Getting root's cred in the ccache from keytab
Greg Hudson
ghudson at MIT.EDU
Tue Mar 25 11:53:34 EDT 2014
On 03/25/2014 10:54 AM, Tomas Kuthan wrote:
> on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't
> have it in cache, an attempt is made in krb5_gss_init_sec_context() to
> get one using system keytab. First keys for
> 'root/hostname.some.domain at REALM' are sought, followed by
> 'host/hostname.some.domain at REALM' and 'HOSTNAME$@REALM'.
>
> I was told, that similar logic might be implemented in MIT Kerberos [...]
Only for a broad definition of "similar." After a lot of discussion, we
implemented
http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
which introduces the concept of the "client keytab" as distinguished
from the acceptor keytab.
More information about the krbdev
mailing list