[1988] in Kerberos_V5_Development
Re: krb5-libs/207: KDB keytab type multiply defined and wrong
daemon@ATHENA.MIT.EDU (Christopher Provenzano)
Wed Nov 20 17:49:44 1996
Reply-To: proven@cygnus.com
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, krbdev@MIT.EDU, proven@proven.org,
proven@pbi.proven.org
In-Reply-To: Your message of "Wed, 20 Nov 1996 18:31:17 GMT."
<199611201831.SAA29286@beeblebrox.MIT.EDU>
Date: Wed, 20 Nov 1996 17:45:17 -0500
From: Christopher Provenzano <proven@proven.org>
>
> Having little else to do at the moment, I decided to try to get the
> KDB keytab stuff working. The patches were not that complicated, but
> it turns out that they cannot work for a deeper reason. The problem
> is that kadmind is a GSS-API application. The GSS-API uses its own
> krb5_context for talking to the krb5 libraries, instead of using a
> context inherited from kadmind proper. kadmind's context has the
> master key in it, but GSS-API's does not. The KDB keytab code
> requires the master key, but is called by GSS-API, so the master key
> is not available. Mission fails.
>
> The only decent way to solve this is to figure out the correct way to
> interface mechanism-specific information with the GSS-API. This is
> not going to happen in the near future.
You could have the keytab resolve routine read the stash file getting the
master key, then open the database and attach all of the db_context info
to a keytab.
>
> I will now argue that the KDB keytab code should be removed from the
> tree:
>
> 1. kadmind, and perhaps the KDC, are the only two processes that can
> realistically use a KDB keytab.
How about kprop or for that matter any server running on a machine with
the database. Is there a reason to have the database AND a keytab on the
same machine?
>
> 2. kadmind already uses a file-based keytab for
> kadmin/{admin,changepw} and it works fine. There is no reason to add
> extra code to reimplement working functionality. Furthermore, as
> discussed above, there is no simple way to make kadmind use the KDB
> keytab anyway.
Other than you've lost functionality. The old kadmind did not require
a keytab file.
CAP
