[38512] in Kerberos
Re: Cross realm kadmin
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Mar 25 12:16:54 2019
To: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <cc48b80d-42e2-a474-b788-803441dea621@mit.edu>
Date: Mon, 25 Mar 2019 12:16:36 -0400
MIME-Version: 1.0
In-Reply-To: <4b6d30cfbb082e71740ca8ab5129d7962db343ef.camel@ed.ac.uk>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 3/25/19 7:28 AM, Kenneth MacDonald wrote:
> If this behaviour is impossible, I will have to ensure all my
> management hosts default to the same realm that they are managing. Or
> is there something I am missing?
I don't think it can work with kadmin -k (authenticating from keytab),
because kadmin will try to use the keytab to directly get credentials
for the server realm with an AS request. Since is no cross-realm for AS
requests, it winds up getting credentials for the client realm instead.
I was able to make cross-realm kadmin work in a test environment with
kadmin -c. I ran kinit normally, then used kvno to explicitly get
tickets for kadmin/admin@TEST. The kvno step is necessary because
kadmin -c expects the necessary credential to already be present in the
ccache; it won't make a TGS request for them. Then I ran kadmin -c
/path/to/ccache -r TEST. Of course I also had to remove the
DISALLOW_TGT_BASED flag from the kadmin/admin@TEST principal entry, as
you did in your tests.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
