[cups.general] Strange kerberos problem [solved]
Brandon S. Allbery KF8NH
allbery at ece.cmu.edu
Tue Jan 29 14:19:08 PST 2008
On Jan 29, 2008, at 17:12 , Michael Sweet wrote:
>> Non-Microsoft Kerberos doesn't do groups, or anything else beyond
>> straight authentication (not authorization!) and a free session
>> key. I
>> think IBM/HP/DEC's DCE was the only thing other than Active
>> Directory to
>> use the private use area in krb5 tickets, and its use was minimal.
>
> Um, I'm pretty sure that standard MIT Kerberos + LDAP provides
> groups, without bloating credentials. Anyways, I've updated the
> code to support credentials up to 64k in size.
But those groups come from an LDAP transaction and are not stored in
the ticket, last I checked. (MIT Kerberos *using* LDAP does so only
for multi-master replication, LDAP plays no role in ticket contents.)
--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery at kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery at ece.cmu.edu
electrical and computer engineering, carnegie mellon university KF8NH
More information about the cups
mailing list