logo_kerberos.gif

Release Meeting Minutes/2015-03-10

From K5Wiki
Jump to: navigation, search


Rob Campanella, Thomas Hardjono, Greg Hudson, Ben Kaduk, Nathaniel McCallum, Simo Sorce, Zhanna Tsitkov, Nico Williams, Tom Yu

Larger key versions

See Projects/Larger key versions.

Greg
kvno -- thought it would be simple, but turned out harder. 8-bit in keytab and kadm5 protocol, but 16-bit in KDB. kvno 0 is a special case in the DBE stuff, and ASN.1 encoders omit it.
Nico
Your proposal seems OK. Please record keyset creation time.

Some discussion; such metadata are already being considered for some KDB data model renormalization.

Solaris 10 segfault

When explicit normal salt is sent to a Solaris 10 client in PA-ETYPE-INFO2, the client can segfault.

Greg
Introduced in 1.7 but not effective until 1.11, due to some code masking the change.

gss_acquire_cred_with_password

Greg
In the Luke Howard implementation, creds get stored to memory ccache. Made change to use default cache. Heimdal matches MIT.

Nico explains about how Solaris had the same semantic as Luke originally implemented; existing MIT and Heimdal behavior is incompatible. Discussion about what constitutes a reasonable side effect in GSSAPI.

Nico wants acq_cred_with_password to have the same behavior as with delegated creds.

KDC discovery

Nathaniel
Please give feedback on the KDC service discovery draft in KITTEN.