Shawn M Emery wrote: > Roland Mainz wrote: [snip] > > One minor nit: > > "kserver" is a very generic name. IMO it may be better to name it > > "kdcserver" or "krbserver" to make sure it doesn't collide with other > > projects using the "k*"-prefix. For example FreeWNN has a "kserver" and > > AFAIK KDE has something which sounds similar... > > It was named to match the client equivalent, kclient(1M), but I can see > how it may be confusing.
I know... and somehow I wish "kclient" would be EOL'ed (which is AFIAK not difficult and can AFAIK be done in the same ARC fasttrack case) and replaced with something like "krbclient" or "kdcclient" to have a little bit more unique name. > > <snip> > >> > >> 2.1 kserver(1M) script > >> > >> This will be implemented in a scripting language (ksh) that will > >> make calls to Kerberos utilities to configure the master and slave > >> KDC servers. These Kerberos and system utilities include: > >> kdb5_util(1M) > >> kadmin(1M) > >> kadmin.local(1M) > >> svcadm(1M) > >> dig(1M) > >> ping(1M) > > > > Minor issue: What about IDN (Internationalized Domain Name) support ? > > Yes, I know... Krb5 does not support that yet... but now should this be > > handled in theory (for example assume that the admins locale is a > > multibyte locale (such as en_US.UTF-8) and then let the script handle > > all details) ? > > Their are dependencies in Kerberos for implementing this and I would > consider this out of scope for this setup script. Uhm... in theory you can beat (using a large club) the current kerberos to work with IDN. But you're right, real builtin support for non-ASCII host- and usernames may be better. What about adding a small safeguard which uses /usr/xpg4/bin/egrep (WARNIONG: /usr/bin/grep is not aware of multibyte characters - it will only work with /usr/xpg4/bin/egrep) to make sure the input charatcers are in the allowed ASCII range ? > >> The kserver script will perform basic security checks and warn the > >> administrator if it detects a problem. > >> > > > > What about adding a "dry-run" option which does some pre-checks without > > changing the configuration ? > > Yes, this is what it essentially means: > 1. check for existing kdb > 2. file permissions > 3. DNS configuration > 4. etc. Sounds Ok... [snip] > >> System Administration Commands kserver(1M) > >> > >> NAME > >> kserver - set up a Kerberos Key Distribution Center (KDC) > >> > >> SYNOPSIS > >> /usr/sbin/kserver [ -a admprincipal ] [ -e enctype ] > >> [ -h ] [ -l slave1[:slave2:...] ] [ -r realm ] [ -s ] > >> > > > > What about adding a generic "action" here to define the action which > > should be done, e.g. "kserver create" (or "kserver setup") to set up a > > Kerberos Key Distribution Center (and reserve any future "action" > > keyword (e.g. "kserver adduser", "kserver "rmuser", "kserver destroy", > > "kserver backup" etc.) for future usage) ? > > I like the general concept, but we wouldn't have to reserve an action > keyword, given that we would keep other arguments as options. Some > potential actions for this version: > > setup > destroy > backup > > future versions may include: > addprinc > delprinc > addkeytab > addxrealm Sounds Ok... ... what about an "info" and/or "status" to get some status information of the server processes ? > For non-interactiveness I would have to add new options to cover new > functionality or require that these actions be interactive. Erm... maybe I missed that part... "kserver" is interactive ?! ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;)
