[1956] in Kerberos_V5_Development
Re: krb5-libs/182: /etc/v5srvtab -> /etc/krb5.keytab
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Wed Nov 13 12:54:03 1996
Date: Wed, 13 Nov 1996 12:53:41 -0500
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: tlyu@MIT.EDU
Cc: krbdev@MIT.EDU, krb5-bugs@MIT.EDU
In-Reply-To: <9611131728.AA27510@tesla-coil.MIT.EDU> (message from Tom Yu on
Wed, 13 Nov 1996 12:28:23 -0500)
ovsec_kadmd.c was relying on the old
global variable mechanism (krb5_defkeyname) to set the default keytab
name for the gssapi/krb5 layer. This violates abstactions right and
left.
If I recall properly, kadmind sets krb5_defkeyname because there was
no other way to specify the keytab that the GSS-API krb5 mechanism
will use to accept a context. Perhaps now we can use KRB5_KTNAME, but
that environment variable did not exist when kadmind was implemented.
I'm not sure how that interacts with secure/unsecure contexts, nor
which kadmind is using.
For that matter why are the kadm5 tests passing?
The client-side kadm5 tests use a credential cache, not a keytab, to
authenticate to kadmind. The server-side kadm5 tests do not use any
Kerberos authentication at all. So, neither set of kadm5 api tests
need to specify a keytab to use.
Anyone have any bright ideas on this subject?
Yes, I do. Back out your changes and leave them for post-1.0.
Barry
