[1298] in Kerberos_V5_Development
Re: kadmin and initial credentials
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon Jun 10 14:27:23 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU
From: Ken Raeburn <raeburn@cygnus.com>
Date: 09 Jun 1996 22:19:04 -0400
In-Reply-To: "Barry Jaspan"'s message of Thu, 6 Jun 96 15:10:03 -0400
"Barry Jaspan" <bjaspan@MIT.EDU> writes:
> The kadm5 api exports three initialization functions,
> kadm5_init_with_password, kadm5_init_with_skey, and
> kadm5_init_with_creds.
I have to keep reminding myself that the second has nothing to do with
s/key...
> Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args]
> clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]
> local args: [-d dbname] [-m]
What about making the ccache field optional? Why should an
administrator have to muck with setting up a unique filename and
passing it in all the time, when other programs' behavior does
reasonable defaulting?
> My reasoning behind the -c functionality is that the only time a user
> would specify the -c argument is if he wants to be able to run the
> program multiple times but only enter the password once, in which case
> the user does not want kadmin to destroy the tickets. After the batch
> is complete, the user must run kdestroy.
I think the -c cache-using and -preserving functionality should be
independent of the method for acquiring the tickets. Perhaps I want
to write a script which will use a keytab to run kadmin multiple times
(with some other work done in between, so it wouldn't make sense to
combine the uses). Say, "-c -k" does the combination, using or
creating the ccache named in the environment, or determined by the
uid.
Of course, if Marc's suggested kinit change is made, the whole issue
goes away...
