Getting root's cred in the ccache from keytab

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting root's cred in the ccache from keytab

Tomas Kuthan
Hi,

on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't
have it in cache, an attempt is made in krb5_gss_init_sec_context() to
get one using system keytab. First keys for
'root/hostname.some.domain@REALM' are sought, followed by
'host/hostname.some.domain@REALM' and 'HOSTNAME$@REALM'.

I was told, that similar logic might be implemented in MIT Kerberos, but
I was not able to find support for it in the code, nor in documentation.
I also did a quick test and it doesn't seem to work for me, at least not
under the same conditions as with Solaris...

Does MIT Kerberos support root getting TGT from keytab?
If yes, could you please point me to place in code?

Thanks,
Tomas
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Getting root's cred in the ccache from keytab

Greg Hudson
On 03/25/2014 10:54 AM, Tomas Kuthan wrote:
> on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't
> have it in cache, an attempt is made in krb5_gss_init_sec_context() to
> get one using system keytab. First keys for
> 'root/hostname.some.domain@REALM' are sought, followed by
> 'host/hostname.some.domain@REALM' and 'HOSTNAME$@REALM'.
>
> I was told, that similar logic might be implemented in MIT Kerberos [...]

Only for a broad definition of "similar."  After a lot of discussion, we
implemented

    http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation

which introduces the concept of the "client keytab" as distinguished
from the acceptor keytab.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Getting root's cred in the ccache from keytab

Tomas Kuthan
On 03/25/14 04:53 PM, Greg Hudson wrote:

> On 03/25/2014 10:54 AM, Tomas Kuthan wrote:
>> on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't
>> have it in cache, an attempt is made in krb5_gss_init_sec_context() to
>> get one using system keytab. First keys for
>> 'root/hostname.some.domain@REALM' are sought, followed by
>> 'host/hostname.some.domain@REALM' and 'HOSTNAME$@REALM'.
>>
>> I was told, that similar logic might be implemented in MIT Kerberos [...]
>
> Only for a broad definition of "similar."  After a lot of discussion, we
> implemented
>
>      http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
>
> which introduces the concept of the "client keytab" as distinguished
> from the acceptor keytab.

So that's the client keytab!
I stumbled across it, but I wrongly considered it as "not it".

Thanks,
Tomas
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev