[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal-0.7.1rc2 // hoh
Hello list member , hello Love!
|On Thu, 11 Aug 2005, Love Hörnquist Åstrand wrote:
|.....
|will be only bugfixes in this release. If you have found any bugs that you
|want to have fixed, now would be a good time to tell us about them
Now that You encourage me I'll bring it up.
Using kadmin sometimes surprise me a bit. Since I don't fully understand
the field I'm in doubt about the things I got and how to weight it.
Pleas indulge in case I'm screwed.
My Context is this (test-environment with AFS-principales):
Rh-El3 ( Linux 2.4.21-32.ELsmp i686 )
Heimdal-0.7-20050719 and asn1-choice-20050719
#ps -ef | grep heimdal | cut -c48-
/sw/i3_rhel3/heimdal-0.7.0/libexec/kdc --kerberos4 --kaserver --detach
/sw/i3_rhel3/heimdal-0.7.0/libexec/ipropd-master --detach
/sw/i3_rhel3/heimdal-0.7.0/libexec/kpasswdd -r UNI-HOHENHEIM.DE
/sw/i3_rhel3/heimdal-0.7.0/libexec/kadmind
This is my point:
I have a ticket for 'feiler' and 'feiler' is counted in kadmind.acl
with all rights on all. See this:
-----------------------8<-----------------------8<----------------
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: feiler@UNI-HOHENHEIM.DE
Issued Expires Principal
Aug 12 11:11:00 Aug 13 12:11:00 krbtgt/UNI-HOHENHEIM.DE@UNI-HOHENHEIM.DE
Aug 12 11:11:00 Aug 13 12:11:00 afs@UNI-HOHENHEIM.DE
#
# grep feiler kadmind.acl
feiler all
rzfeiler all
#
-----------------------8<-----------------------8<----------------
Now I want to list some principales.
Meanwhile I realized that kadmin silently adds the instance 'admin' if
the available ticket does not already have one (** see MY NOTE below **).
So I explicitly define the principal to use : '-p feiler' .
This results in getting asked for the passphrase of 'feiler'
again, even if I hold a valid ticket and token.
IMHO this is not the 'kerberos' or 'single sign on' way of life.
-----------------------8<-----------------------8<----------------
# # kadmin -p feiler list '*feiler*'
feiler@UNI-HOHENHEIM.DE's Password:
feiler
feilert
rzfeiler
-----------------------8<-----------------------8<----------------
OF CAUSE ...
If on the other hand the '-p feiler' is left out I get asked for the
password of 'feiler/admin@UNI-HOHENHEIM.DE' which does not exist.
QUESTION:
Shouldn't kadmin (and maybe other) check the cc an possibly use this
credentials before asking for a password over and over?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MY NOTE:
I fully understand the idea of adding the 'admin' instance to a principal
w/o any instance in the hope of reduce keystrokes. I hate typing too.
[ lib/kadm5/ChangeLog: 2002-03-25 Johan Danielsson <joda@pdc.kth.se>]
On the other side I must count it as a formal error if a client try to
(unconditionally) work with other (unasked) principals than those I
have tickets and/or tokens for.
On the first glance I think it could be a good solution to have
this habit runtime-configurable. Maybe in krb5.conf .
What I have in minde looks like this :
-----------------------8<---------------------
[appdefaults]
default_admin_instance = "string"
-----------------------8<---------------------
Where "string" could be empty or any valid instance-term.
If one leave this line out "admin" might be the default (as it is now).
This would make old AFS-sites happy as well as other heimdal-user.
Love and the other developper,
if You agree with this idea, I coud have a closer look, try to
implement it and eventually try to send a patch to You.
(No promise, I'm new on this).
So what do You think?
Sincerely
Mathias Feiler
Fuer Rueckfragen stehe ich Ihnen gerne zur Verfuegung, bevorzuge jedoch
telefonische Kontaktaufnahme ( 3949 oder +49 (0)179 6954907 ). Danke.
Hochachtungsvoll und mit freundlichen Gruessen M.Feiler
----
Mit Computerviren verhaelt es sich so, wie mit verschiedenen
Geschlechtskrankheiten: Meist HOLT man sie sich wenn man
zu leichtsinnig zu ugeschuetzt verkehrt.
PGP public key & Homepage : http://www.uni-hohenheim.de/~feiler