Getting root's cred in the ccache from keytab
Tomas Kuthan
tomas.kuthan at oracle.com
Tue Mar 25 12:02:40 EDT 2014
On 03/25/14 04:53 PM, Greg Hudson wrote:
> On 03/25/2014 10:54 AM, Tomas Kuthan wrote:
>> on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't
>> have it in cache, an attempt is made in krb5_gss_init_sec_context() to
>> get one using system keytab. First keys for
>> 'root/hostname.some.domain at REALM' are sought, followed by
>> 'host/hostname.some.domain at REALM' and 'HOSTNAME$@REALM'.
>>
>> I was told, that similar logic might be implemented in MIT Kerberos [...]
>
> Only for a broad definition of "similar." After a lot of discussion, we
> implemented
>
> http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
>
> which introduces the concept of the "client keytab" as distinguished
> from the acceptor keytab.
So that's the client keytab!
I stumbled across it, but I wrongly considered it as "not it".
Thanks,
Tomas
More information about the krbdev
mailing list