[1991] in Kerberos_V5_Development
Re: krb5-libs/207: KDB keytab type multiply defined and wrong
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Wed Nov 20 18:53:11 1996
Date: Wed, 20 Nov 1996 23:52:24 GMT
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: proven@cygnus.com
Cc: krb5-bugs@MIT.EDU, krbdev@MIT.EDU, proven@proven.org,
proven@pbi.proven.org
In-Reply-To: <199611202245.RAA00301@qed.proven.org> (message from Christopher
Provenzano on Wed, 20 Nov 1996 17:45:17 -0500)
You could have the keytab resolve routine read the stash file getting the
master key, then open the database and attach all of the db_context info
to a keytab.
I thought of that, and it does seem like a possibility. It does,
however, require the keytab layer to know where the stash file is
stored. That is specified in kdc.conf, and might (theoretically) be
overriden on kadmind's command line. So, now we'd need to be able to
pass through the GSS-API info about the keytab and the stash file.
Not ideal.
How about kprop or for that matter any server running on a machine with
the database. Is there a reason to have the database AND a keytab on the
same machine?
Because the keytab code already works, and works well. The KDB keytab
code does not work, and has all the problems I've already mentioned.
I don't see the benefit associated with the cost of fixing it.
Ted argued that having kadmind or other programs use the local kdb
would be easier since they would not have to create a separate keytab.
That's true, but I think not compelling. First, now we'll have to
document both options: a file keytab created separately and a KDB
keytab. Also, if we really wanted to make kadmind installation
simpler, we could write a script to do it. Keytab creation in
particular can be totally automated on the KDC with kadmin.local.
That would be easier, and would simplify the whole kadmind
installation process, not just the keytab creation process.
So, again, I say that the KDB keytab layer is a neat idea, and would
be nice if we already had it, but pretty much the only reason at all
to have it is its coolness factor, and it just isn't *that* cool, so
why bother?
Barry
