[1291] in Kerberos_V5_Development
kadmin and initial credentials
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Thu Jun 6 15:10:21 1996
Date: Thu, 6 Jun 96 15:10:03 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: krbdev@MIT.EDU
Okay, all you flexibility fans, here is how the kadm5 api, and kadmin
in particular, deal with initial credentials.
The kadm5 api exports three initialization functions,
kadm5_init_with_password, kadm5_init_with_skey, and
kadm5_init_with_creds. The first two are the same as they used to be
(they acquired tickets themselves and destroy the tickets when
kadm5_destroy is called) and still need to exist because it would be
silly to force every kadm5 api client to acquire its own tickets when
most are always happy to use the default. The new function,
kadm5_init_with_creds, takes an open krb5_ccache as an argument which
must already contain an appropriate initial ticket. kadm5_destroy
does NOT destroy credentials handed to the api via init_with_creds; if
the caller created the creds, the caller should destroy them.
Now, kadmin's usage is
Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args]
clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]
local args: [-d dbname] [-m]
If you do not specify -c or -k, kadmin will use
kadm5_init_with_password, which will prompt for a password. If you
specify -k (and optionally -t to specify a non-default keytab), kadmin
will use kadm5_init_with_skey, which will acquire a ticket using the
keytab (this is most useful for the keytab-changing functionality,
since the admin server lets a principal extract a new keytab for
itself). If you specify -c, kadmin will either use the tickets
already in ccache or create the ccache and acquire new tickets,
prompting the user for a password. Also, if you specify -c, kadmin
DOES NOT destroy the ccache.
My reasoning behind the -c functionality is that the only time a user
would specify the -c argument is if he wants to be able to run the
program multiple times but only enter the password once, in which case
the user does not want kadmin to destroy the tickets. After the batch
is complete, the user must run kdestroy.
I realize that this is complicated, mainly because there are two
separate paths in which kadmin will prompt for a password, and because
kadmin is acquiring tickets into a ccache that it does not destroy.
Both of these complications, as well as a lot of duplicate code, would
be eliminated if kinit had an option to specify the service principal
to acquire an initial ticket for instead of krbtgt; then, a user that
wanted to use kadmin in batch mode could run kinit, kadmin -c, and
kdestroy, and kadmin would not need its own initial ticket logic.
Comments?
Barry
