[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]



> Please do not use misleading subjects. This is a behavior difference,

I'm sorry. I was writing the message actually on Monday, but it got
postponed. I originally thought that there indeed was an API difference,
but later learned the truth and forgot to change the topic.

> Otherwise, I'm using libpam-heimdal and I have no problem with .k5login
> being missing.

You missed the point. If .k5login is *missing* there is no harm done,
"if(ret != ENOENT)" takes care of that. BUT if the authenticating process
*cannot access* the .k5login (ret==EACCES), MIT goes to check if the user
is trying to log in as oneself, whereas Heimdal treats this as if the user
was not listed in .k5login and does not call match_local_principals().

Note that at this point, ret will contain the errno set by a failed
fopen(), so I think treating EACCES just like ENOENT is the correct
behaviour.

Cheers,
Juha

-- 
		 -----------------------------------------------
		| Juha Jäykkä, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|
		 -----------------------------------------------

--Signature_Thu__2_Feb_2006_18_18_13_+0200_qE5R_QwGj+51Sk0J
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD4jDISqzK5nsyX0kRAr0gAKDd6y2CwEoEQCAC9iEg1UcRBsRAzQCg3zKC
gM4IbnALflX2BXYoeO3x0rc=oH
-----END PGP SIGNATURE-----

--Signature_Thu__2_Feb_2006_18_18_13_+0200_qE5R_QwGj+51Sk0J--