[37816] in Kerberos
Re: Cross-Realm Admins
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 19 23:54:44 2016
To: "Kemper, Stephan" <stephan.kemper@viasat.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <bb23b4ae-0c92-b274-146b-50bbc754b391@mit.edu>
Date: Mon, 19 Dec 2016 23:54:25 -0500
MIME-Version: 1.0
In-Reply-To: <AD903E07-E2BA-477D-8867-0BF4AAECDCEF@contoso.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 12/19/2016 03:50 PM, Kemper, Stephan wrote:
> The problem is with our admin principals. I can’t seem to get our KDC to hand me the service ticket that I want. Each time I run a `kinit -S kadmin/admin@B.VIASAT.COM -c ccache skemper/admin@VIASAT.COM` I get back a service of kadmin/admin@VIASAT.COM, the root realm.
kinit performs an AS request. AS requests cannot be cross-realm, and
the kinit -S flag can only specifies the name part of the service
principal, not the realm.
Because kadmin tickets must be obtained via AS request, there isn't
currently any way to do cross-realm administration; each realm must have
its own administrative principals.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
