On Thu, 2011-05-12 at 13:58 -0400, Nico Williams wrote: > Really, what should happen is that mech_krb5's gss_init_sec_context() > automatically gets a TGT using a keytab if there's a keytab available. > Solaris' implementation does that, though sadly it only does it for > processes running as root.
I've thought about handling this at the ccache layer, although I was never comfortable with the kind of syntax required to stuff a keytab name, a subsidiary ccache name, and some auxiliary parameters into a ccache specification. AUTO:kt=FILE:/etc/krb5.keytab;cc=FILE:/tmp/filename;min_life=1h ... it doesn't seem very friendly. So, maybe it's simpler to handle it at the GSSAPI layer. Heimdal does this, storing the acquired credentials in a memory ccache. That approach could generate a lot of unnecessary AS-REQs, particularly in combination with SPNEGO. On the plus side, it finesses the issue of whether to get a new credential with the keytab or use an existing one which is about to expire. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
