removal of kadm5.keytab [PSARC/2008/358 FastTrack timeout 06/10/2008]
James Carlson
james.d.carlson at sun.com
Tue Jun 3 07:58:29 PDT 2008
Mark Phalan writes:
>
> On Tue, 2008-06-03 at 09:49 -0400, James Carlson wrote:
> > OK. Perhaps the file should be deleted on system upgrade, so that the
> > user doesn't try to do something silly, like modify the file and
> > expect it to do something.
>
> That might be a good idea (although locating the file - parsing kdc.conf
> - might be tricky).
I see. Perhaps a boot-time (or one-time on upgrade) warning if the
path is specified in kdc.conf?
> As kadm5.keytab is generally managed with the "kadmin/kadmin.local"
> commands there is little scope for the user to become confused - the
> kerberos db is always updated when using those commands to modify
> keytabs. The only scenario I can think of where the user may not get
> what he expects is when he purposly tries to make kadmind fail by
> deleting or corrupting kadm5.keytab. In this scenario kadmind will still
> continue to work when the user may expect it to fail.
I guess I was thinking more about what happens when things are
restored from backup; the key will always be the one in the db, even
if a different one is (somehow) given elsewhere. Perhaps that just
doesn't happen in practice ...
--
James Carlson, Solaris Networking <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
More information about the opensolaris-arc
mailing list