[23830] in Kerberos

home help back first fref pref prev next nref lref last post

Re: MacOSX Tiger kadmin uses a non-standard service principal

daemon@ATHENA.MIT.EDU (Ben Poliakoff)
Thu May 5 17:58:17 2005

Date: Thu, 5 May 2005 14:55:49 -0700
From: Ben Poliakoff <benp@reed.edu>
To: Tom Yu <tlyu@mit.edu>
Message-ID: <20050505215548.GE18361@tristero.reed.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ldvwtqdwdls.fsf@cathode-dark-space.mit.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

* Tom Yu <tlyu@MIT.EDU> [20050505 14:46]:

> The admin protocol changed in krb5-1.4 (which is what Tiger's krb5 is
> based on), for compatibility with Sun's kadmin protocol, which uses
> the standards-track RPCSEC_GSS authentication flavor, rather than the
> old non-standard authentication flavor used previously.  Sun's kadmin
> protocol uses kadmin/FQDN rather than kadmin/admin for the service
> principal.  Support for transparent fallback of the kadmin protocol
> was not implemented until krb5-1.4.1.

Thanks much for the quick explanation!

> One workaround is to invoke the kadmin client with the "-O" flag to
> force the use of the old protocol, or to upgrade to krb5-1.4.1.  I
> don't know when Apple intends to pick up krb5-1.4.1.

Thanks again.  The -O option will work for now.  With upgrades all
around in the near future.

Ben
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post