[38509] in Kerberos
Cross realm kadmin
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Mon Mar 25 07:29:17 2019
Message-ID: <4b6d30cfbb082e71740ca8ab5129d7962db343ef.camel@ed.ac.uk>
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: <kerberos@mit.edu>
Date: Mon, 25 Mar 2019 11:28:33 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
We have two MIT krb5 realms: LIVE and TEST.
I would like to add principals from LIVE into TEST's kadm5.acl file so
they can manage the TEST realm's principals, authenticating from
keytabs.
>From what I can glean in the archives this isn't possible due to to
kadmin/admin@TEST being denied to TGS requests, which includes cross
realm trust links.
I tried removing the DISALLOW_TGT_BASED flag from kadmin/admin@TEST
with no effect.
The kadmin command on a host in the LIVE realm obtained a
kadmin/admin@LIVE ticket and presented that to the TEST kadmin server
which of course couldn't verify it.
If this behaviour is impossible, I will have to ensure all my
management hosts default to the same realm that they are managing. Or
is there something I am missing?
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
