[2292] in Kerberos_V5_Development
Re: krb5-admin/24: v4 kadmin functionality is lacking
daemon@ATHENA.MIT.EDU (Tom Yu)
Sun Mar 9 02:47:42 1997
Date: Sun, 9 Mar 1997 02:42:44 -0500
To: krbdev@MIT.EDU
Cc: krb5-bugs@MIT.EDU
In-Reply-To: tlyu@MIT.EDU's message of Wed, 25 Sep 1996 15:34:10 -0400
<9609251934.AA19717@tesla-coil.MIT.EDU>
From: Tom Yu <tlyu@MIT.EDU>
I am really tempted to punt completely on the krb4 kadmind problem.
There are serveral reasons:
The ADD_ENT and MOD_ENT requests take keys, not passwords. This is
incompatible with the kadm5 API. Since only reg_svr and the krb4
kadmin use these requests, and we have a large amount of control over
the use of these, I propose that we not implement them.
The CHECK_PW request is used by the userreg client, which we can also
rewrite to deal with kadm5.
CHG_STAB could also be left unimplemented, since its usage is limited
to get_srvtab, and we can distribute a shell script or something
equivalent to deal with generating krb4 srvtabs.
Anyway, we should also deal with the generic get_srvtab problem at
some point. I don't know if a serious discussion has taken place
about this yet, but the main aspect of this problem is a site with
many machines needing keytabs but few administrators to walk about to
machines to generate them would be bottlenecked on these
administrators during krb5 deployment. There are several ways to
remedy this problem, but the one that I am leaning towards is to have
a special acl file that would indicate what users are allowed to
change keytabs for particular hosts. Perhaps this deserves a separate
PR.
---Tom
