get_cred starting realm
nico at cryptonector.com
Thu Apr 30 16:45:17 EDT 2015
On Thu, Apr 30, 2015 at 03:23:03PM -0500, Nico Williams wrote:
> On Thu, Apr 30, 2015 at 03:40:40PM -0400, Greg Hudson wrote:
> > I think the two other viable options are:
> > 1. Make kinit -n and krb5_gss_accept_sec_context() responsible for
> > setting a start-realm config entry when the local TGT realm differs from
> > the client principal realm. Basically, treat the edge cases as
> > exceptional and force them to be addressed at the highest possible layers.
> I'd live with this because it'd at least interop with Heimdal and could
> be implemented by other stacks that implement the FILE ccache format.
> But I won't contribute patches to implement (1) because I'd have to also
> submit patches for third-party applications like pam_krb5, and I'm not
> interested in boiling oceans in general. See more below.
I misread Greg's (1) proposal. It's fine and requires no changes to
existing applications not in-tree. I'd still prefer always writing the
start-realm ccconfig because for FILE ccaches doing so means that it
will always be found quickly.
More information about the krbdev