Subject: Re: kerberos in 1.5_ALPHA
To: Greywolf <greywolf@starwolf.com>
From: Jason R Thorpe <thorpej@zembu.com>
List: current-users
Date: 07/16/2000 10:17:18
On Sun, Jul 16, 2000 at 09:42:28AM -0700, Greywolf wrote:
> That's broken, IMO. If the kerberos method is not included in the
> nsswitch.conf, it ought not be consulted, I think. Or does that "break"
> things?
Well, actually, Kerberos doesn't really fit into the nsswitch model.
In the Athena environment (the original user of Kerberos), Hesiod (i.e.
"dns" in nsswitch.conf) is used for the user/group database info, and
Kerberos is used to authenticate the users. Kerberos is also used to
authenticate a person for access to another shared user account, such
as root (this is how su(1) works w/ Kerberos).
They're really two disjoint things, that happened to unfortunately crammed
together back when the Unix password database format was invented.
--
-- Jason R. Thorpe <thorpej@zembu.com>