[32907] in Kerberos
Re: Problems with kprop and incremental propagation - works but bugs
daemon@ATHENA.MIT.EDU (Matej Zagiba)
Tue Nov 16 11:00:29 2010
Message-ID: <4CE24D74.7000504@fmph.uniba.sk>
Date: Tue, 16 Nov 2010 10:23:00 +0100
From: Matej Zagiba <matej.zagiba@fmph.uniba.sk>
MIME-Version: 1.0
To: "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <1289866444.2633.1187.camel@ray>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
thank You for help, I was reading the source code, but I got lost :-)
Anyway, I noticed kpropd has an -F switch to specify path to database, but it's used only in
full replication when passing arguments to kbd_util. It would be nice to use this argument
to override config files in incremental propagation as well.
I suppose not too many people uses incremental propagation, it relatively new feature,
but I must say after getting it work, it's perfect solution.
thanx for all the help
Matej Zagiba
On 11/16/2010 01:14 AM, Greg Hudson wrote:
> I can confirm two bugs that you have encountered and worked around:
>
> 1. kprop uses krb5_sname_to_principal() to determine its client
> principal, and does not understand the referral realm. So it does not
> work without a -r parameter unless the profile's domain_realm section
> can map the local hostname. You worked around this by correcting your
> existing domain_realm section in your profile.
>
> A reasonable, if not perfect, fix here is to do what kpropd does in a
> similiar piece of code: substitute the default realm for the referral
> realm when using the result of krb5_sname_to_principal() as a client
> principal.
>
> 2. kpropd, when processing incremental updates, modifies the KDB using
> ulog_replay(), but does not initialize its context to use the KDC
> profile, so it uses only settings from krb5.conf to find the KDB. You
> worked around this with symlinks. An alternative workaround would be to
> put the KDB configuration into krb5.conf instead of kdc.conf. (In the
> past, it used to be required to put KDB configuration into krb5.conf.
> That odd requirement was relaxed somewhere around krb5 1.5 for most
> programs which run on the KDC, but a few have escaped the net, including
> kpropd.)
>
> I will open issues for both bugs and try to get them fixed for 1.9.
> Thanks for your investigative work.
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
