[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: Does PAC Validation Require External Communication?
From: Michael B Allen <mba2000@ioplex.com>
Date: Tue, 15 May 2007 12:23:39 -0400
Cc: Andrew Bartlett <abartlet@samba.org>, heimdal-discuss@sics.se, samba-technical@samba.org
In-Reply-To: <96C088DD-8FB4-4532-AC64-2D2659FC4634@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20070514133410.2edbb39a.mba2000@ioplex.com><1179179980.2940.6.camel@localhost.localdomain><20070514192440.de7dc236.mba2000@ioplex.com><1179185354.2940.14.camel@localhost.localdomain><20070514201719.16c5c170.mba2000@ioplex.com><1179192468.2940.18.camel@localhost.localdomain><20070514220512.2131df32.mba2000@ioplex.com><96C088DD-8FB4-4532-AC64-2D2659FC4634@kth.se>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <mba2000@ioplex.com>

On Tue, 15 May 2007 01:00:42 -0400
Love Hörnquist Åstrand <lha@kth.se> wrote:

> > Just in case Love suddenly get's inspired by all of this - rather than
> > requiring a specific process model, I would like to see just a socket
> > descriptor and a function to process the server side so that I can use
> > it with existing muxer code. I don't want to crap up my process table
> > with daemons. Also, the IPC should be well defined and simple so that
> > I can go that low if I want.
> 
> Splitting out the work of krb5_rd_req have been on the TODO list for  
> some time now.
> 
> Forking and execing a suid binary is one one, talking to an existing  
> processes another over IPC. Using IPC is probably prefered since fork 
> ()ing inside a lib is icky to say the least (stray SIGHLD,  
> interesting fd's all over the place, etc).
> 
> it I was to write it it would write both ends and make a libkrbrdrep  
> that a service lib winbind or kcm could link with to provide the  
> funktionallity with an simple entry point (or two).

Excellent. Sounds good.

And I agree about not forking. Mostly because it's just not necessary
- the application is in a much better position to know how to run the
service routine that accepts and processess these types of privileged
requests. Of course it wouldn't hurt to also provide a little server
program that calls the service routine that someone can run as root
or whoever.

Mike

References:
- Does PAC Validation Require External Communication?
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Does PAC Validation Require External Communication?
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Does PAC Validation Require External Communication?
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Does PAC Validation Require External Communication?
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Does PAC Validation Require External Communication?
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Preauthentication failed
Next by Date: windows XP caching kerberos tickets
Prev by thread: Re: Does PAC Validation Require External Communication?
Next by thread: Preauthentication failed
Index(es):
- Date
- Thread