[16202] in Kerberos-V5-bugs
[krbdev.mit.edu #8761] ksu doesn't allow acquisition of
daemon@ATHENA.MIT.EDU (Toby Blake via RT)
Tue Nov 13 11:50:59 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Toby Blake via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8761@krbdev.mit.edu>
Message-ID: <rt-8761-49160.3.26804054029687@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8761'":;
Date: Tue, 13 Nov 2018 11:50:32 -0500 (EST)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Hi,
If a principal has the DISALLOW_FORWARDABLE attribute in the KDC, but
/etc/krb5.conf has forwardable = true, then it is impossible to obtain
a ticket using ksu ("KDC policy rejects request while getting initial
credentials").
Would you be interested in a patch to implement a -F option (in the same
way as kinit) to explicitly request a non-forwardable ticket?
Cheers
Toby Blake
School of Informatics
University of Edinburgh
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
