[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal-0.7.1rc2 // hoh

Hello list member , hello Love!

|On Thu, 11 Aug 2005, Love Hörnquist Åstrand wrote:
|will be only bugfixes in this release. If you have found any bugs that you
|want to have fixed, now would be a good time to tell us about them

Now that You encourage me  I'll bring it up.
Using kadmin sometimes surprise me a bit.  Since I don't fully understand
the field  I'm in doubt about the things I got and how to weight  it.
Pleas indulge in case I'm screwed.

My Context is this (test-environment with AFS-principales):

   Rh-El3 ( Linux 2.4.21-32.ELsmp i686 )
   Heimdal-0.7-20050719  and  asn1-choice-20050719

   #ps -ef | grep heimdal | cut -c48-
   /sw/i3_rhel3/heimdal-0.7.0/libexec/kdc --kerberos4 --kaserver --detach
   /sw/i3_rhel3/heimdal-0.7.0/libexec/ipropd-master --detach
   /sw/i3_rhel3/heimdal-0.7.0/libexec/kpasswdd -r UNI-HOHENHEIM.DE

This is my point:

  I have a ticket for 'feiler' and 'feiler' is counted in kadmind.acl
  with all rights on all. See this:
  # klist
  Credentials cache: FILE:/tmp/krb5cc_0
          Principal: feiler@UNI-HOHENHEIM.DE

    Issued           Expires          Principal
  Aug 12 11:11:00  Aug 13 12:11:00  krbtgt/UNI-HOHENHEIM.DE@UNI-HOHENHEIM.DE
  Aug 12 11:11:00  Aug 13 12:11:00  afs@UNI-HOHENHEIM.DE
  # grep feiler kadmind.acl
  feiler          all
  rzfeiler        all

  Now I want to list some principales.

  Meanwhile I realized that kadmin silently adds the instance 'admin' if
  the available ticket does not already have one (** see MY NOTE below **).
  So I explicitly define the principal to use :  '-p feiler' .
  This results in getting asked for the passphrase of  'feiler'
  again, even if I hold a valid ticket and token.
  IMHO this is not the 'kerberos' or 'single sign on' way of life.

  # # kadmin -p feiler  list '*feiler*'
  feiler@UNI-HOHENHEIM.DE's Password:

  OF CAUSE ...
  If on the other hand the '-p feiler' is left out I get asked for the
  password of 'feiler/admin@UNI-HOHENHEIM.DE' which does not exist.

  Shouldn't kadmin (and maybe other) check the cc an possibly use this
  credentials before asking for a password over and over?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  I fully understand the idea of adding the 'admin' instance to a principal
  w/o any instance in the hope of reduce keystrokes. I hate typing too.
  [ lib/kadm5/ChangeLog: 2002-03-25  Johan Danielsson  <joda@pdc.kth.se>]

  On the other side I must count it as a formal error if a client try to
  (unconditionally) work with other (unasked) principals than those I
  have tickets and/or tokens for.

  On the first glance I think it could be a  good solution to have
  this habit runtime-configurable. Maybe in krb5.conf .
  What I have in minde looks like this :
        default_admin_instance  = "string"
  Where "string" could be empty or any valid instance-term.
  If one leave this line out  "admin" might be the default (as it is now).
  This would make old AFS-sites happy as well as other heimdal-user.

  Love and the other developper,
  if You agree with this idea, I coud have a closer look, try to
  implement it and eventually try to send a patch to You.
  (No promise, I'm new on this).

  So what do You think?


Mathias Feiler

Fuer Rueckfragen stehe ich Ihnen gerne zur Verfuegung, bevorzuge jedoch
telefonische Kontaktaufnahme ( 3949 oder +49 (0)179 6954907 ).  Danke.

Hochachtungsvoll und mit freundlichen Gruessen   M.Feiler

  Mit Computerviren verhaelt es sich so, wie mit verschiedenen
  Geschlechtskrankheiten:  Meist HOLT man sie sich wenn man
  zu leichtsinnig zu ugeschuetzt  verkehrt.

PGP public key &  Homepage   :  http://www.uni-hohenheim.de/~feiler