[38599] in Kerberos
Re: krb5 library missing functions for collections
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Aug 15 12:21:34 2019
To: Charles Hedrick <hedrick@rutgers.edu>, Jakub Hrozek <jhrozek@redhat.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <0f35b456-2a19-7c0a-1945-ba8556d7d588@mit.edu>
Date: Thu, 15 Aug 2019 12:21:20 -0400
MIME-Version: 1.0
In-Reply-To: <66D708A7-6FAA-42FD-A8BE-DA18E9B9C226@rutgers.edu>
Content-Language: en-US
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 8/15/19 10:01 AM, Charles Hedrick wrote:
> I can actually do the combination of MIT libkrb5 and Heimdal KCM. I’m assuming that the Mac has a normal Heimdal KCM.
It appears they differ in this regard. The kcm_access() function
determines which clients see which caches, and the implementations are
totally different in the upstream and Apple-customized Heimdal versions.
The two versions can be seen here:
https://opensource.apple.com/source/Heimdal/Heimdal-520.220.2/kcm/acl.c.auto.html
https://github.com/heimdal/heimdal/blob/master/kcm/acl.c#L38
Apple's version only allows root to see "system" and root-owned caches,
while upstream Heimdal's allows it to see everything.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
