[1986] in Kerberos_V5_Development
Re: krb5-libs/207: KDB keytab type multiply defined and wrong
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Wed Nov 20 16:45:54 1996
Date: Wed, 20 Nov 1996 16:44:35 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: bjaspan@MIT.EDU, krb5-bugs@MIT.EDU, krbdev@MIT.EDU, proven@proven.org
In-Reply-To: Barry Jaspan's message of Wed, 20 Nov 1996 18:31:17 GMT,
<199611201831.SAA29286@beeblebrox.MIT.EDU>
Date: Wed, 20 Nov 1996 18:31:17 GMT
From: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, krbdev@MIT.EDU, proven@proven.org
Having little else to do at the moment, I decided to try to get the
KDB keytab stuff working. The patches were not that complicated, but
it turns out that they cannot work for a deeper reason. The problem
is that kadmind is a GSS-API application. The GSS-API uses its own
krb5_context for talking to the krb5 libraries, instead of using a
context inherited from kadmind proper. kadmind's context has the
master key in it, but GSS-API's does not. The KDB keytab code
requires the master key, but is called by GSS-API, so the master key
is not available. Mission fails.
Ultimately, we're going to need to specify a krb5-specific API for our
GSSAPI library, for specifying things such as "which keytab to use"
(right now, the kadm library sets a magic global variable which it
happens to know *for* *our* *implementation* will do the right thing).
So in the future we can put in a better API to do the right thing.
2. kadmind already uses a file-based keytab for
kadmin/{admin,changepw} and it works fine. There is no reason to add
extra code to reimplement working functionality. Furthermore, as
discussed above, there is no simple way to make kadmind use the KDB
keytab anyway.
It "works fine" as long as you don't count all of the confused people
who have screwed up because they either don't (a) create the keytab
file, or (b) forget to update the keytab file after changing the kadmin
key. Indeed, we had enough cases of people who lost this way that we
added a new error code to help reduce some of our support load when
people lsot in this fashion.
Post-1.0 we may wish to revisit this and decide whether or not it would
be useful to change kadmind to use the file-base keytab. Once we design
the krb5-specific access functions to our GSSAPI library (which I argue
we will need to do for other reasons), making the job of using the db
keytab to be utterly trivial.
- Ted
