MSLSA and ccconfigs (Re: get_cred starting realm)
Nico Williams
nico at cryptonector.com
Wed Apr 29 19:19:37 EDT 2015
On Wed, Apr 29, 2015 at 06:24:07PM -0400, Benjamin Kaduk wrote:
> On Wed, 29 Apr 2015, Nico Williams wrote:
> > > The LSA itself permits insertion; our MSLSA interface to it may not be
> > > quite so generous, though I don't remember offhand.
> >
> > Does it permit storing of ccconfigs? (That would be handy.)
>
> 2060 if (krb5_is_config_principal(context, creds->server)) {
> 2061 /* mslsa cannot store config creds, so we have to bail.
> 2062 * The 'right' thing to do would be to return an appropriate error,
> 2063 * but that would require modifying the calling code to check
> 2064 * for that error and ignore it.
> 2065 */
> 2066 return KRB5_OK;
> 2067 }
>
> Though, I expect that code was written ten or fifteen years ago and the
> comment may be stale.
[resend]
Unless the LSA blows up (doubtful) or kills the caller (doubtful),
what's the point of stubbing this out? Try it. In the worst case it
will fail.
Nico
--
More information about the krbdev
mailing list