[36737] in Kerberos
Re: question about MIT kpasswd and RPCSEC_GSS
daemon@ATHENA.MIT.EDU (Will Fiveash)
Wed Jan 21 18:17:40 2015
Date: Wed, 21 Jan 2015 17:17:28 -0600
From: Will Fiveash <will.fiveash@oracle.com>
To: kerberos@mit.edu
Message-ID: <20150121231728.GA27915@oracle.com>
Mail-Followup-To: kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ldvbnlrixjg.fsf@sarnath.mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jan 21, 2015 at 05:22:43PM -0500, Tom Yu wrote:
> Will Fiveash <will.fiveash@oracle.com> writes:
>
> > When talking to a older Solaris KDC that only supports the RPCSEC_GSS
> > protocol for change password request, will the current MIT kpasswd
> > command just work or does it require some non-default configuration
> > (some parameter set in krb5.conf)?
>
> My recollection is that we used to have a different kpasswd client
> program (dating back to the OV*Secure contribution, maybe) that did
> speak the kadm5 RPC protocol, but removed it. Now we only have a
> kpasswd client that speaks the kpasswd protocol.
Thanks, I was looking through some older notes I made about this and the
code and felt I had entered a maze of twisty passages that all looked
alike. Anyway (to make sure I'm clear) it's my understanding that MIT
back in 1.4 added support for kadmin/kadmind communication via
RPCSEC_GSS which made MIT kadmin compatible with Solaris kadmind. My
notes on this also implied that the MIT kpasswd was updated to use
RPCSEC_GSS or SET_CHANGE:
MIT supports a SET_CHANGE protocol for changing password. In 1.4
they added support for our RPCSEC_GSS protocol.
It could be that I was mistaken about this which prompted my earlier
question.
--
Will Fiveash
Oracle Solaris Software Engineer
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
