>>No, at worst a principal is granted access because a service >>assuming the KDC does authorization is deployed in a realm where >>this is not the case. The interop problem happens when someone >>wants to deploy a service but realizes they cannot do so because >>it requires authorization features their realm does not support. >> > > hmm.. > > >>I am aware of no widely deployed Kerberos applications without >>authorization support. >> > > pam_krb5? >
PAM modules are, by definition, authentication modules (PAM = Pluggable Authentication Mechanism/Module). A PAM module should not be able to provide authorization since most PAM modules do not and should not know what application they are being used to authenticate. -Wyllys