Skip Menu |
 

To: krb5-bugs@MIT.EDU
Subject: need standard way of finding keytab
From: Ken Raeburn <raeburn@MIT.EDU>
Date: Tue, 17 Dec 2002 17:51:08 -0500

Hacks like this shouldn't be needed. There should be some standard
way of indicating where a keytab is located for a given user or
service.

For example, perhaps non-root users would look in ~/etc/krb5.keytab,
or maybe krb5.conf could have a table mapping principal names or
service (first-component) names to pathnames ("zephyr =
/usr/local/etc/zephyr/zephyr.keytab"). Maybe both.

No special configuration should be needed to look for the current
standard services (host and ftp at least) in the standard keytab,
though that could be accomplished by having a list of names instead of
just one. Say, if the default is "~/etc/krb5.keytab:/etc/krb5.keytab"
or equivalent.

Ken
Download (untitled)
message/rfc822 2.4KiB
Return-Path: <kerberos-admin@MIT.EDU>
Received: from fort-point-station.mit.edu by po9.mit.edu (8.9.2/4.7) id
EAA17465; Tue, 17 Dec 2002 04:13:27 -0500 (EST)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id EAA03270;
Tue, 17 Dec 2002 04:12:17 -0500 (EST)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA13508;
Tue, 17 Dec 2002 04:12:03 -0500 (EST)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA13501
for <kerberos@PCH.mit.edu>; Tue, 17 Dec 2002 04:11:44 -0500 (EST)
Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id EAA17909
for <kerberos@MIT.EDU>; Tue, 17 Dec 2002 04:11:43 -0500 (EST)
Received: (from news@localhost)
by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id gBH8tFY07029
for kerberos@MIT.EDU; Tue, 17 Dec 2002 03:55:15 -0500 (EST)
From: Oleksiy Melnyk <Oleksiy.Melnyk@somewhere.kiev.ua>
X-Newsgroups: comp.protocols.kerberos
Subject: Re: Authorising via non-root user
Organization: Ukrainian Processing Center
Message-ID: <1040115530.711013@upc-dot.upc.intranet>
References: <V3uL9.1058$3R6.70@news-binary.blueyonder.co.uk>
To: kerberos@MIT.EDU
Sender: kerberos-admin@MIT.EDU
Errors-To: kerberos-admin@MIT.EDU
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.0
Precedence: bulk
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Post: <mailto:kerberos@mit.edu>
List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
Date: Tue, 17 Dec 2002 10:55:20 +0200
Lines: 11
Xref: all-in-one list.mit.kerberos:15480 all.2002-12:2235
MIME-Version: 1.0

Try to set KRB5_KTNAME='/path/to/user/accessible/keytab/file/for/that/service'
in your service daemon's environment.

Sergei Grigoriev wrote:
Show quoted text
> What do I need to do in order to
> allow a non-root user to run this daemon and successfully test incoming
> service tickets via GSSAPI?

Show quoted text
________________________________________________
Kerberos mailing list Kerberos@mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos