[37817] in Kerberos
Re: Cross-Realm Admins
daemon@ATHENA.MIT.EDU (Kemper, Stephan)
Tue Dec 20 12:56:36 2016
From: "Kemper, Stephan" <stephan.kemper@viasat.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 20 Dec 2016 17:56:20 +0000
Message-ID: <E8DBF94D-1231-426E-A22A-17744F16700E@viasat.com>
In-Reply-To: <bb23b4ae-0c92-b274-146b-50bbc754b391@mit.edu>
Content-Language: en-US
Content-ID: <63493821CB370B419D148017371B03AF@viasat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Greg,
OK, that’s what I was afraid of. It’ll make things a bit tricker, but I think we’ve identified a way to manage that. Thanks for the information!
Stephan Kemper
ViaSat, Inc.
On 12/19/16, 8:54 PM, "Greg Hudson" <ghudson@mit.edu> wrote:
On 12/19/2016 03:50 PM, Kemper, Stephan wrote:
> The problem is with our admin principals. I can’t seem to get our KDC to hand me the service ticket that I want. Each time I run a `kinit -S kadmin/admin@B.VIASAT.COM -c ccache skemper/admin@VIASAT.COM` I get back a service of kadmin/admin@VIASAT.COM, the root realm.
kinit performs an AS request. AS requests cannot be cross-realm, and
the kinit -S flag can only specifies the name part of the service
principal, not the realm.
Because kadmin tickets must be obtained via AS request, there isn't
currently any way to do cross-realm administration; each realm must have
its own administrative principals.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
