Suggestion of change to certauth plugin interface

Greg Hudson ghudson at
Fri Dec 9 00:45:06 EST 2022

On 12/7/22 15:42, Ken Hornstein via krbdev wrote:
> I just now realized that there's not a wonderful way of getting the
> list of realms the KDC is configured to use AND it would be incredibly
> useful if the certauth plugin knew the list of configured KDC realms.
> Is it possible that the realmlist could be passed to the certauth plugin
> initialzer function?  I realize that would probably require a major bump
> to the certauth plugin API.

This wouldn't necessarily require a major API bump, but can you 
elaborate on what a certauth module would be interested in the 
configured realm list, and can't build it up as queries come in?

There's a potential mode of KDC operation where multiple realms live in 
the same database, and realms can be added and removed while the KDC is 
running.  This mode isn't currently supported (the kadmin/kdb5_util 
tooling doesn't exist, and the KDC code only 99% supports it), but I'd 
like to think carefully about adding plugin interfaces which conflict 
with that option.

Does NRL use the current multiple realm KDC support?  I have been 
assuming that it's very rare to do so, because there isn't equivalent 
support in kadmind.

More information about the krbdev mailing list