[38513] in Kerberos
Re: Cross realm kadmin
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Mon Mar 25 13:39:59 2019
Message-ID: <bcf048fc24ee712822c4c18cb337d4ec988bfbb4.camel@ed.ac.uk>
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: Greg Hudson <ghudson@mit.edu>, <kerberos@mit.edu>
Date: Mon, 25 Mar 2019 17:39:30 +0000
In-Reply-To: <cc48b80d-42e2-a474-b788-803441dea621@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2019-03-25 at 12:16 -0400, Greg Hudson wrote:
> On 3/25/19 7:28 AM, Kenneth MacDonald wrote:
> > If this behaviour is impossible, I will have to ensure all my
> > management hosts default to the same realm that they are
> > managing. Or
> > is there something I am missing?
>
> I don't think it can work with kadmin -k (authenticating from
> keytab),
> because kadmin will try to use the keytab to directly get credentials
> for the server realm with an AS request. Since is no cross-realm for
> AS
> requests, it winds up getting credentials for the client realm
> instead.
>
> I was able to make cross-realm kadmin work in a test environment with
> kadmin -c. I ran kinit normally, then used kvno to explicitly get
> tickets for kadmin/admin@TEST. The kvno step is necessary because
> kadmin -c expects the necessary credential to already be present in
> the
> ccache; it won't make a TGS request for them. Then I ran kadmin -c
> /path/to/ccache -r TEST. Of course I also had to remove the
> DISALLOW_TGT_BASED flag from the kadmin/admin@TEST principal entry,
> as
> you did in your tests.
Thank you very much for this pointer - I will see if our automation can
be convinced to follow this route if we are willing to accept the lower
security on the TEST realm.
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
