[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Incomplete documentation

To: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
Subject: Re: Incomplete documentation
From: Andreas Haupt <ahaupt@ifh.de>
Date: Fri, 19 Sep 2003 13:45:52 +0200 (MEST)
cc: heimdal-discuss@sics.se
In-Reply-To: <Pine.OSF.4.51.0309191315590.88850@tao.natur.cuni.cz>
References: <Pine.OSF.4.51.0309041617460.382176@tao.natur.cuni.cz><xofoey01uwp.fsf@blubb.pdc.kth.se> <Pine.OSF.4.51.0309041641310.382176@tao.natur.cuni.cz><xofk78o1lyc.fsf@blubb.pdc.kth.se> <Pine.OSF.4.51.0309172328290.370291@tao.natur.cuni.cz><amznh2c8qx.fsf@nutcracker.stacken.kth.se> <Pine.OSF.4.51.0309182112290.456757@tao.natur.cuni.cz><Pine.LNX.4.58.0309191222340.26415@juno.ifh.de><Pine.OSF.4.51.0309191315590.88850@tao.natur.cuni.cz>
Sender: owner-heimdal-discuss@sics.se

On Fri, 19 Sep 2003, [iso-8859-2] Martin MOKREJ? wrote:

> On Fri, 19 Sep 2003, Andreas Haupt wrote:
> > The database is also encrypted on the slaves, just as Love already told
> > you. If you don't put /var/heimdal/m-key onto the slave as well, the kdc
> > on the slave will no be able to read the database - this means you cannot
> > authenticate against a slave server.
>
> So you say the data stored on slaves is encrypted with the m-key key
> present on master? That means hpropd on slave receives the data encypted
> and just stores them on the disk.

Right!

> Will kdc on slaves complain that there's no m-key and therefore it cannot
> decrypt the database hpropd created?

That's a good question. I think yes.

> I still don't understand how kdc on slaves knows it's not master kdc, and
> therefore should accept any password changes.

The kdc does not even care about this. It just takes the requested key out
of the database. The kdc does not care about key changing at all. Other
processes like hpropd, ipropd do the changes in the database. The kdc just
gets the new ones after changing.

> Is it so that kadmind accepts the user's password changes? I thought it's
> only for convience of admins to give them chance to use kadmin(1). ;)

kpasswdd (taking the new password from the client part kpasswd) does
the changing of user passwords. But kadmind is able to do this as well
(with kadmin).

> Or is it so that the `kdc = host.domain' defines on users machine where the
> passwords are sent to? As there can be multiple `kdc = ' lines I deduce
> that slaves do accepts password changes from users and cross-talk together.
> But I don't believe this as I don't run hpropd on my master. ;)

No, the entry kpasswd_server tells kpasswd where to find the daemon. If
this is not set it takes the entry admin_server.

Greetings
Andreas

-- 
Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen

Follow-Ups:
- Re: Incomplete documentation
  - From: Love <lha@stacken.kth.se>

References:
- Incomplete documentation
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Re: Incomplete documentation
  - From: Love <lha@stacken.kth.se>
- Re: Incomplete documentation
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Re: Incomplete documentation
  - From: Andreas Haupt <ahaupt@ifh.de>
- Re: Incomplete documentation
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>

Prev by Date: Re: Incomplete documentation
Next by Date: Re: 3DES or equivalent telnet encryption with kerberos
Prev by thread: Re: Incomplete documentation
Next by thread: Re: Incomplete documentation
Index(es):
- Date
- Thread