[2734] in testers
Re: Question on krb5 in environment....
daemon@ATHENA.MIT.EDU (Richard Basch)
Thu Dec 29 22:34:12 1994
Date: Thu, 29 Dec 1994 22:33:48 -0500
To: epeisach@MIT.EDU
Cc: testers@MIT.EDU
In-Reply-To: epeisach@MIT.EDU's message of Thu, 29 Dec 1994 20:45:17 -0500,
<9412300145.AA00486@kangaroo.mit.edu>
From: "Richard Basch" <basch@MIT.EDU>
From: epeisach@MIT.EDU
Date: Thu, 29 Dec 1994 20:45:17 -0500
Here is a gotcha that was probably not considered.... If you change your
password - the server kerberos.mit.edu will have the new v4 password,
but the primary for v5 kerberos-2 will have the old one.... (until the
next morning propogation).
This would imply that getting these v5 tickets as an attempt to
eventually move to having clients/servers that rely on them will have to
wait until the two run on the same server and share a database.... I
would hate to have a client application die because someone changed
their password and was no longer getting v5 tickets on the kinit....
So, the end result, which consulting would probably have to be made
aware of is that if you change your password, you will probably get an
error if you login later in the same day...
Am I missing something obvious here?
Ezra
Theoretically, the krb.conf.v5 should be updated during IAP, when all
the Kerberos servers are updated, or at least that was what I heard
mumblings about earlier... For testing to commence, we had to use a
hacked ordering of the servers...
-Richard
