Roland Mainz wrote: > Shawn M Emery wrote: > >> Roland Mainz wrote: >> > [snip] > > I know... and somehow I wish "kclient" would be EOL'ed (which is AFIAK > not difficult and can AFAIK be done in the same ARC fasttrack case) and > replaced with something like "krbclient" or "kdcclient" to have a little > bit more unique name. >
I'm also making a number of changes to kclient as well, so now would be the time. >>> <snip> >>> Minor issue: What about IDN (Internationalized Domain Name) support ? >>> Yes, I know... Krb5 does not support that yet... but now should this be >>> handled in theory (for example assume that the admins locale is a >>> multibyte locale (such as en_US.UTF-8) and then let the script handle >>> all details) ? >>> >> Their are dependencies in Kerberos for implementing this and I would >> consider this out of scope for this setup script. >> > > Uhm... in theory you can beat (using a large club) the current kerberos > to work with IDN. But you're right, real builtin support for non-ASCII > host- and usernames may be better. > What about adding a small safeguard which uses /usr/xpg4/bin/egrep > (WARNIONG: /usr/bin/grep is not aware of multibyte characters - it will > only work with /usr/xpg4/bin/egrep) to make sure the input charatcers > are in the allowed ASCII range ? > I will check the interfaces to see if this needs to be considered. Thanks. >>>> The kserver script will perform basic security checks and warn the >>>> administrator if it detects a problem. >>>> >>>> >>> What about adding a "dry-run" option which does some pre-checks without >>> changing the configuration ? >>> >> Yes, this is what it essentially means: >> 1. check for existing kdb >> 2. file permissions >> 3. DNS configuration >> 4. etc. >> > > Sounds Ok... > > [snip] > >> I like the general concept, but we wouldn't have to reserve an action >> keyword, given that we would keep other arguments as options. Some >> potential actions for this version: >> >> setup >> destroy >> backup >> >> future versions may include: >> addprinc >> delprinc >> addkeytab >> addxrealm >> > > Sounds Ok... > ... what about an "info" and/or "status" to get some status information > of the server processes ? > I will consider this as well. >> For non-interactiveness I would have to add new options to cover new >> functionality or require that these actions be interactive. >> > > Erm... maybe I missed that part... "kserver" is interactive ?! > It will always be, because passwords are required for the administrative principal and to derive the master key. And it could be interactive if not all information is provided as arguments. Thanks, Shawn. --
