[38153] in Kerberos
Re: -allow_tgs_req
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jan 8 22:58:53 2018
From: Russ Allbery <eagle@eyrie.org>
To: Chris Hecker <checker@d6.com>
In-Reply-To: <f1f0a286-6de0-d147-1a84-bbcb37d59c90@d6.com> (Chris Hecker's
message of "Mon, 8 Jan 2018 19:52:12 -0800")
Date: Mon, 08 Jan 2018 19:58:38 -0800
Message-ID: <87h8rvel8x.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Chris Hecker <checker@d6.com> writes:
> If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I
> shouldn't be able to kinit with it, right? I'm able to get TGTs though
> with kinit and the keytab for this service, and then get service tickets
> with kvno; I need to update my KDC and see if this is still true, or
> mabye I'm misunderstanding how it works...?
That prevents other principals from getting service tickets for that
principal using a TGT. It's intended for principals like kadmin/changepw
that want to force an AS-REQ to get a service ticket for that principal.
It doesn't have any effect on authenticating as that principal.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos