[30924] in Kerberos
Re: Obtaining Service Ticket with TGT only (via shell commands)
daemon@ATHENA.MIT.EDU (Frank Gruellich)
Wed Mar 25 06:47:48 2009
Message-ID: <49CA0B8A.1020109@navteq.com>
Date: Wed, 25 Mar 2009 11:46:34 +0100
From: Frank Gruellich <frank.gruellich@navteq.com>
MIME-Version: 1.0
To: kerberos@MIT.EDU
In-Reply-To: <1237913069.6246.263.camel@ray>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
Greg Hudson wrote:
> On Tue, 2009-03-24 at 17:25 +0100, Frank Gruellich wrote:
>> But for some reason it does not work with the kadmin/admin service
>> principal:
> If you go into kadmin and run "getprinc kadmin/admin", you should see:
>
> Attributes: DISALLOW_TGT_BASED
>
> which means you can only get a ticket for this principal with an initial
> ticket request and not with a TGT. You can change this with "modprinc
> +allow_tgs_req kadmin/admin"
True, works. Thanks.
> but I believe that would compromise the requirement that people have
> to reenter their passwords in order to run kadmin.
But that's, in fact, my intention. I know, that kadmin is some kind of
critical tool. If security aspects are the only problem with this set
up I'll drop them. I accept that kadmin/admin service is just something
like host/eloy.example.com.
> For the purposes of your script, you can either treat a "KDC policy
> rejects request" error as an indication that the principal exists, or
> you can assume you won't run into that situation on any of the
> principals you are managing with the script.
Oh, that's a good idea, too. But at some point the script's caller has
to do changes to the KDC database, so I need the kadmin/admin ticket
anyway.
Thanks a lot for your help.
Kind regards,
--
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks
Duesseldorfer Strasse 40a
65760 Eschborn
Germany
Phone: +49 6196 77756-414
Fax: +49 6196 77756-100
USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos