[37827] in Kerberos
Re: OTP and kadmin
daemon@ATHENA.MIT.EDU (Felix Weissbeck)
Mon Jan 9 09:35:45 2017
From: Felix Weissbeck <contact-kerberos@w7k.de>
To: Benjamin Kaduk <kaduk@mit.edu>, kerberos@mit.edu
Date: Mon, 09 Jan 2017 15:35:25 +0100
Message-ID: <1759628.2ZORJyPht3@entenkatapult>
In-Reply-To: <20170108183326.GC8460@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Ben and thanks for your help.
On Sonntag, 8. Januar 2017 12:33:26 CET Benjamin Kaduk wrote:
> One thing to try would be separating getting tickets and authenticating
> to kadmin, aka
>
> kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r5m -l5m user/admin
> kadmin -c FILE:/tmp/krb5cc_admin -p user/admin
OK, getting the Service principal with only my existing princ does not excatly
work; this returns "kinit: Invalid argument while getting initial credentials"
If i change it to match the whole preauth stuff it works:
root@ldap:~# kdestroy -A
root@ldap:~# kinit -n
root@ldap:~# kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r 5m -l 5m -T
FILE:/tmp/krb5cc_0_iC5PjpBw3M fe/admin@W7K.DE
Enter OTP Token Value:
root@ldap:~# kadmin -c FILE:/tmp/krb5cc_admin
Authenticating as principal fe/admin@W7K.DE with existing credentials.
kadmin: list_principals
HTTP/..........
HTTP/...
> That would make it more clear if it is just a failure in the kadmin client
> logic.
To me this seems to be the case.
> -Ben
That does acually already work for me since i already have a little wrapper to
obtain these admin tickets, so that my users get two prompts for Password and
Yubikey. I can just add the kadmin funcionality there.
Regards
Felix
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
