[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]



On Thu, Feb 02, 2006 at 06:18:13PM +0200, Juha J. wrote:

> You missed the point. If .k5login is *missing* there is no harm done,
> "if(ret != ENOENT)" takes care of that. BUT if the authenticating process
> *cannot access* the .k5login (ret==EACCES), MIT goes to check if the user
> is trying to log in as oneself, whereas Heimdal treats this as if the user
> was not listed in .k5login and does not call match_local_principals().

more precisely, (from consulting the source, i admit) it appears that
MIT applies the default mapping only if access(.., F_OK) != 0, but that,
otherwise, if (subsequent to the access() check) opening the file for
reading fails for any reason, it returns FALSE

i gather, in the case of your AFS home directories, you mostly just care
about the initial access() check, but if people want to change Heimdal's
behavior it's worth having the alternatives precisely spelled out (which
means somebody besides me should probably confirm this and any other sub-
tleties of MIT's implementation and don't listen to me)

p.s.--apologies for having to abbreviate your surname, but my system
(the way i have it configured) can't handle some of the characters--
at least not displaying them