logo_kerberos.gif

Release Meeting Minutes/2013-06-11

From K5Wiki
Jump to: navigation, search


Shawn Emery, Greg Hudson, Ben Kaduk, Nathaniel McCallum, Zhanna Tsitkov, Nico Williams, Tom Yu

Companion daemon

Nathaniel
Worst case it drops off face of earth. Reject to client. Should somehow signal client to retry.
Greg
RADIUS server might not be a companion daemon.
Nathaniel
Local will always give an immediate error. libkrad will attempt to retry.
Tom
KDC_ERR_SVC_UNAVAILABLE
Nathaniel
Requirement to put sockets in /run (from SELinux)
Greg
Open to configure option for /run, maybe try to add autodetect
Shawn
More authorization checks for S4U2Self... limit proxy princ deleg for specific clients. [ Probably really need this in S4U2Proxy ]
Greg
Write a project page. LDAP back end can check but ignores client principal. [ this would be a new capability ]
Nico
Have wanted this too.

Zero-component principals

Nico
Question on KITTEN list re zero-length (zero component) principals... want to steal syntax to specify realm alone GSS name type for naming realms. Form would be "@REALMNAME". Heimdal apparently gives you a single-component principal whose content is "@" in that case.

OTP

Nathaniel
Greg, have working tests. Forward slash determines file vs (literal) password for secret.
Greg
Maybe we can have a default directory.