[37828] in Kerberos
Re: OTP and kadmin
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jan 9 10:50:06 2017
To: Felix Weissbeck <contact-kerberos@w7k.de>, Benjamin Kaduk <kaduk@mit.edu>,
kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <cf3131f7-ed56-5ee7-4637-5e219a761c7e@mit.edu>
Date: Mon, 9 Jan 2017 10:49:50 -0500
MIME-Version: 1.0
In-Reply-To: <1759628.2ZORJyPht3@entenkatapult>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 01/09/2017 09:35 AM, Felix Weissbeck wrote:
> That does acually already work for me since i already have a little wrapper to
> obtain these admin tickets, so that my users get two prompts for Password and
> Yubikey. I can just add the kadmin funcionality there.
I'm glad you found a workaround. I think I see two issues here:
1. kadmin has no equivalent of the kinit -T option.
2. Users should never see an "Invalid argument" error message.
Unfortunately, I can't reproduce this; in similar circumstances, I get a
"Generic preauthentication failure" message as I would expect. (That
error message could probably be improved, but it's at least better than
an EINVAL.)
Can you run one of the failing cases with KRB5_TRACE=/dev/stdout and
send me the output?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
