[36867] in Kerberos
Re: kadmin remote as a regular user
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Wed Apr 1 08:05:13 2015
Message-ID: <551BDE9D.1050804@uni-koblenz.de>
Date: Wed, 01 Apr 2015 14:03:41 +0200
From: Rainer Krienke <krienke@uni-koblenz.de>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
In-Reply-To: <551AABE9.2080407@mit.edu>
Content-Type: multipart/mixed; boundary="===============1491218384=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1491218384==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms080804020205020309050602"
This is a cryptographically signed message in MIME format.
--------------ms080804020205020309050602
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Am 31.03.2015 um 16:15 schrieb Greg Hudson:
> On 03/31/2015 07:56 AM, Rainer Krienke wrote:
>> I would like to achieve the following. A particular user say "john" lo=
gs
>> in at a linux system or authenticates in apache against kerberos.
>> Now I would like to allow this user "john" to run kadmin commands
>> without entering any additional other password.
>=20
> You are running into two semi-configured, semi-conventional behaviors:
>=20
> 1. By default, kadmin assumes you want to authenticate as username/admi=
n.
>=20
> 2. By default, the KDC doesn't accept TGS requests for the kadmin
> service; you have to get an initial ticket directory for the service.
> Because of this, the kadmin client doesn't even try to make a TGS
> request; it either makes an AS request or uses existing tickets.
>=20
> My recommendation is that you don't fight these defaults, but use kinit=
> -S and kadmin -c to avoid having to enter a password for every operatio=
n:
>=20
> kinit -S kadmin/admin -c /path/to/admin/ccache john/admin
> kadmin -c /path/to/admin/ccache
Hello Greg,
thank you very much for you explanation. However I first wondered why
the credential cache above was named "admin" I guess its not a typo but
I still do not understand why the credentials of admin/admin are needed
and no other user like john/admin is allowed here?
I added a principal john/admin@MYREALM.DE to kerberos. Then on the
client I run kinit:
$ kinit -S kadmin/admin john/admin
< johns password>
Then I run kadmin on the client system and do not have to enter any
password. Say john has uid 1234:
$ kadmin -c /tmp/krb5cc_1234
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
kadmin: getprinc nfs/linux.uni-koblenz.de
get_principal: Operation requires ``get'' privilege while retrieving
"nfs/linux.uni-koblenz.de
The ACL file /var/lib/kerberos/krb5kdc/kadm5.acl on the server looks
like this:
#
admin/admin *
kadmin/admin *
kadmin/admin@MYREALM.DE *
john/admin *
john/admin@MYREALM.DE *
So getprivs says everything is ok, the ACL is set, authentication for
john/admin works but I actually cannot get any principal or list
principals. The logfile from kerberos tells me:
"Unauthorized request: kadm5_get_principal nfs/linux.uni
-koblenz.de@MYREALM.de, client=3Djohn/admin@MYREALM.DE, service=3Dkadmin/=
ad
min@MYREALM.DE"
However if I run kinit -S kadmin/admin admin/admin
(so actually using principal admin/admin instead of john/admin) things
work just fine in eg kadmin: getprincs. Is the principal admin/admin
in some way hardcoded in kadmin?
Seems I still do not understand the way kerberos works. Can anyone help?
Thanks
Rainer
--=20
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1=
312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
--------------ms080804020205020309050602
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPwDCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
XjCCBEagAwIBAgIHF5mf2lfXsjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVp
biBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUxOTE1MjQ1OFoXDTE5MDcwOTIzNTkwMFowgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rkBDHdIGttkOw7WYdJ2BisOniuHlJCPep/0pUeTb9QFLZaprodeeRm6kFix2XGl3h4imLu7d
Gwtu8oRRpGcZ6tm3i2VSpw1zxxk9uUV2sMiRHK2HVkN3qWFwq/RBOgPEaVNhdF5hMz7QZjZr
dXtXOM4LGG8kBZqD75Q+U0mbtDagOL1NIwtJuY3YqnL/6Hvptb4F30RDVUnYmhsWVX+RCNaM
vO1rU9gHHONICEv8AAP1XKRX4L7lB77wDpNZL6CImPp+xPHybnU6e98QjTa3InO40E8sCKch
XrWfpKeuwW8iXSTwjEp7zuhS39oDPwHmNYzPLEF4NO1LSUKK1PNFswIDAQABo4IB/jCCAfow
EgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
MB0GA1UdDgQWBBQv3ROYY1wLw2+47YbgAyfBb7q2AjAfBgNVHSMEGDAWgBRJt8bP6D0ff+pE
exMp9/EKcD7eZDAcBgNVHREEFTATgRFjYUByaHJrLnVuaS1rbC5kZTCBiAYDVR0fBIGAMH4w
PaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9j
YWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2Ev
cHViL2NybC9jYWNybC5jcmwwgdcGCCsGAQUFBwEBBIHKMIHHMDMGCCsGAQUFBzABhidodHRw
Oi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwRwYIKwYBBQUHMAKGO2h0dHA6
Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1
Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA3rH+7oW8Dj5JvS3ijKWD
ByPxQpZispCRD/tR3Jx/wr/2z5B6NiozII7uAvd9ruZwBG/X4tmb2u+72FsymXJS1E+iffMJ
e18LsSUmE2wC61a/OFinQyVdz2GJJG+T59yEZARvEh+iRvaasX8ox0j80JR2mDwjnSKy1zBY
zk7Hg3gdgCjqAffWt0I/BsiV+mHdOWG/ubljt+j7jsCqBobUixc1wEXwSzzSq+sO5Xn7Mqst
pT2O9JkuCVcxhcKVEDAq6vErEpvJLafwkd5j+lkUaqnPQU8l449+ClRXlRcQUS7fy3C1zpi2
iR1RweUMoybqv7/7H6RU3g+cLiFgssc8fTCCBYEwggRpoAMCAQICBxjW+6gaJIQwDQYJKoZI
hvcNAQELBQAwgYIxCzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1
bHJlY2hlbnplbnRydW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIx
IDAeBgkqhkiG9w0BCQEWEWNhQHJocmsudW5pLWtsLmRlMB4XDTE1MDExNTA4NDUxM1oXDTE4
MDExNDA4NDUxM1owTDELMAkGA1UEBhMCREUxJDAiBgNVBAoTG1VuaXZlcnNpdGFldCBLb2Js
ZW56LUxhbmRhdTEXMBUGA1UEAxMOUmFpbmVyIEtyaWVua2UwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC3fk7YzkNprbcZLd1q5RPDhU0s7G4WNk7zlvhn3Qvtw7Dd9WXb+GCU
eDvWmjW5047V/mo+XSvGVow8b2vh8EYTaqrJtlahzKeGdnzx66vfEtG59WOPW4OJjz29wePZ
/SC+ihe/z6eHYlYvd7KNbLYSLrBtHzETfLsQfxA7WrSU49y2tyhWt+uGWpf9KDLXhgDSDXkE
GAlblcnF5Dy1a3s1ovpDz7sGIEtLb10Vmqzkl6ujvrFoC+XCWRA9LUHlGZoRhxMFGTfESQnu
OS4eEbsHbYa6hIl1RM/GOJZ+2f5tTLDwCemVpRgbw/A6VLtrf3BgbUFxV9HVpSDogqerBXSx
AgMBAAGjggIvMIICKzBABgNVHSAEOTA3MBEGDysGAQQBga0hgiwBAQQDAzARBg8rBgEEAYGt
IYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMEK3ZjogAOrQN9kqcad7GXo
IV9fMB8GA1UdIwQYMBaAFC/dE5hjXAvDb7jthuADJ8FvurYCMCEGA1UdEQQaMBiBFmtyaWVu
a2VAdW5pLWtvYmxlbnouZGUwfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NkcDEucGNhLmRm
bi5kZS9yaHJrLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwOKA2oDSGMmh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvcmhyay1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIHNBggrBgEFBQcBAQSBwDCB
vTAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQ
MEIGCCsGAQUFBzAChjZodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NhY2Vy
dC9nX2NhY2VydC5jcnQwQgYIKwYBBQUHMAKGNmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvcmhy
ay1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEARlGSlU2N
HUZUceWqCORu6GE01oJ4zlhBWzom12dCfDKQWdNh4ENsL/HBFvnXaUxiwBWtCuRtjougXPh0
6lTTgKMpTBvHqjp+YVBJjQiRXG8Pi03uQCgb6GmRn/rsQQCjNEpW0ooR2PeVLQxI8HcjY1Nu
2J7uyaEP9LXl0t1CdqQNtPkfKU6dFA/faZLPKrlDlDQhwwQteqRBu3BraD/vx+9DvHpW8GuY
A9nkm4ajLFZ6aFoHSzNg5B/e0w9ftJ8/QYjsC22B0a348kkYLcG2E7o62ruWHhGBZbPwtjzR
laMp6lVLB9AWMyR6nUMRcyqRrBDKXN9nfxoBJ1qJoCSi4jGCA8swggPHAgEBMIGOMIGCMQsw
CQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56ZW50cnVt
IEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZIhvcNAQkB
FhFjYUByaHJrLnVuaS1rbC5kZQIHGNb7qBokhDAJBgUrDgMCGgUAoIICETAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA0MDExMjAzNDFaMCMGCSqGSIb3
DQEJBDEWBBRjHSWopoz6cdl+IMyrJ0/X0kPI+TBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGfBgkrBgEEAYI3EAQxgZEwgY4wgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlAgcY1vuoGiSEMIGhBgsqhkiG9w0BCRACCzGBkaCBjjCB
gjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMgSG9jaHNjaHVscmVjaGVuemVu
dHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMNUkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3
DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxjW+6gaJIQwDQYJKoZIhvcNAQEBBQAEggEASJCQ
E0CF+qU4QpdcuJT5QtX7nNVdgbLbhYBjPSD8nwTA3fWMeRed64DPH76XqafM6lMeTEOsKsbd
erbAycknwIv79WJL16CvLBQcmtnwzKUkGfj34alJ3iDT3mZBFp2trrsserv4iXbFhEBNkrFi
FViR8+rggK3stcS5C1iWe+GuVyA4EYfPfOaOuUp/YPm7syj2JqhFuxaNTyHBbNiT+blYU3NO
hv2ogI0UnAWRTV0PYxsAu2PprRJFJHFs/voIr5ylfQkZ0+wHu56CysRcV3KLo6jcKLDWKuhu
+hWx3i0vGN4dqPM0plDl+b4CZfrQgOzNoVf/Ig2/G56hdZsnkQAAAAAAAA==
--------------ms080804020205020309050602--
--===============1491218384==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1491218384==--
