[1479] in Kerberos_V5_Development
Re: kpasswd still fails even with ovsec_adm principals
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Fri Aug 2 11:32:04 1996
Date: Fri, 2 Aug 1996 11:30:46 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: tlyu@MIT.EDU
Cc: hartmans@MIT.EDU, krbcore@MIT.EDU
In-Reply-To: <199608020249.WAA14492@dragons-lair.MIT.EDU> (message from Tom Yu on Thu, 1 Aug 1996 22:49:42 -0400)
Why is kpasswd using the old OV API at all?
kpasswd was using the old OV API because I had no reason to change it;
the old API version still works, and is still sufficient for kpasswd's
functionality. It was less effort to compile with
-DUSE_KADM5_API_VERSION_1 than to update the code.
Obviously, I made a mistake: kpasswd shouldn't still be using
ovsec_adm/changepw, but should be using kadmin/changepw. That can be
fixed trivially by passing KADM5_CHAGNEPW_SERVICE instead of
OVSEC_KADM_CHANGEPW_SERVICE to ovsec_kadm_init(); alternatively, the
code can be rewritten to use version 2 of the api.
Nevermind that this
points out a possible deficiency in our backwards compatibility (if we
actually want that).
How so? A site that wants to use existing OV binaries has to put
ovsec_adm/kadmin and ovsec_adm/changepw in the admin server's keytab.
I don't think that's a problem.
Barry
