[1995] in Kerberos_V5_Development
Re: krb5-libs/207: KDB keytab type multiply defined and wrong
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Thu Nov 21 18:10:28 1996
Date: Thu, 21 Nov 1996 18:10:01 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: proven@cygnus.com, krb5-bugs@MIT.EDU, krbdev@MIT.EDU, proven@proven.org,
proven@pbi.proven.org
In-Reply-To: Barry Jaspan's message of Wed, 20 Nov 1996 23:52:24 GMT,
<199611202352.XAA01545@beeblebrox.MIT.EDU>
Date: Wed, 20 Nov 1996 23:52:24 GMT
From: "Barry Jaspan" <bjaspan@MIT.EDU>
Ted argued that having kadmind or other programs use the local kdb
would be easier since they would not have to create a separate keytab.
That's true, but I think not compelling. First, now we'll have to
document both options: a file keytab created separately and a KDB
keytab. Also, if we really wanted to make kadmind installation
simpler, we could write a script to do it. Keytab creation in
particular can be totally automated on the KDC with kadmin.local.
That would be easier, and would simplify the whole kadmind
installation process, not just the keytab creation process.
Well, if we do this, we wouldn't document the file keytab created
separately, because we wouldn't support that option.
As far as making it easier because we have a kadmind installation
script, is that really going to be good enough? The reason why we have
a new error code for "wrong key version" is because people were
forgetting to re-extrat the admin keytab after they changed it, and that
(according to Barry) this was happening a lot. If this was happening a
lot, it means that people must be wanting to change the admin keys after
the initial installation, correct?
- Ted
