[1998] in Kerberos_V5_Development
Re: krb5-libs/207: KDB keytab type multiply defined and wrong
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Fri Nov 22 13:08:43 1996
Date: Fri, 22 Nov 1996 13:06:30 -0500
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: tytso@MIT.EDU
Cc: proven@cygnus.com, krb5-bugs@MIT.EDU, krbdev@MIT.EDU, proven@proven.org,
proven@pbi.proven.org
In-Reply-To: <9611212310.AA01361@dcl.MIT.EDU> (tytso@MIT.EDU)
As far as making it easier because we have a kadmind installation
script, is that really going to be good enough? The reason why we have
a new error code for "wrong key version" is because people were
forgetting to re-extrat the admin keytab after they changed it, and that
(according to Barry) this was happening a lot. If this was happening a
lot, it means that people must be wanting to change the admin keys after
the initial installation, correct?
That is a good argument, yes.
But again, I point out that no one here knows any practical way to
make the KDB keytab layer work. So, while it might be a good idea, it
is currently impossible and therefore out of the question. Making it
work will require krb5 GSS-API design changes, possibly requiring
careful coordination with other krb5 and GSS-API providers as well as
with the standarization process, so it will not be done soon.
I thought of another option. If having kadmind depend on a
user-created keytab is too much hassle, kadmind can simply extract the
keytab file itself every time it is run. The kadm5 server libraries
can extract the keys without changing them; it could then just
overwrite the keytab file specified in kdc.conf with entries that are
guarnanteed to be right. Comments?
Barry
