Jason R Thorpe wrote:
> I think in the short-term (i.e. in time for 1.5), we should change
> Heimdal's behavior to match MIT's wrt. krb5_init_context().

This would not help for passwd at least, if I parse the code correctly.

> For post-1.5, we should investigate adding the mechanisms to login.conf,
> possibly also supporting dynamically-loaded auth modules a'la PAM.

Actually, the applications should probably be changed so that a
failure to obtain krb context (failure of getting principal in
krb5_parse_name(), or failure of krb5_get_init_creds_password())
would not be treated as fatal error. This means that e.g.
passwd's krb5_passwd.c:krb5_chpw() would return -1 instead of 1
if either of those functions fails, so that the login in main() would
try also other methods.

Does Heimdal return special error if a function fails due to
krb server not running ?

Reminds me ... is there any krb4_passwd.c ? The krb4_chpw() and
friends seem to be referenced in passwd.c ifdef KERBEROS, but
there is no such function in the passwd's sources.

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>      http://www.ics.muni.cz/~dolecek/
@@@@  Wanna a real operating system ? Go and get NetBSD, damn!  @@@@