[1736] in Kerberos-V5-bugs
Re: Krb5b5: bug or me doing it wrong?
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Dec 5 12:31:47 1995
Date: Tue, 5 Dec 1995 12:31:11 -0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: cmetz@inner.net
Cc: krb5-bugs@MIT.EDU
In-Reply-To: <199512030631.BAA23128@inner.net> (message from Craig Metz on Sun, 03 Dec 1995 01:31:59 -0500)
Date: Sun, 03 Dec 1995 01:31:59 -0500
From: Craig Metz <cmetz@inner.net>
My KDC refuses to forward anything, telling me that the TGT is not
forwardable. So, I try running kdb5_edit and doing
'modent +allow_forwardable cmetz' and then 'show cmetz' and the attribute
is not there and the server still won't forward it.
Am I doing this wrong, or is there a bug here?
There is a bug here; the internal flag which is stored by the kerberos
database is "disallow_forwardable". In the UI, there was an attempt to
turn this negative flag bit into a positive-sense flag as seen by the
user. Unfortunately, this attempt was flubbed. So there is a bug here.
I think you're also doing something wrong; the default is that the KDC
will allow that forwardable tickets be issued. However, in kinit you
have to explicitly request that you get a forwardable TGT. If you don't
do this, you won't be able to forward tickets using that TGT.
Another way of putting this is that the attribute bit in the database
indicates whether or not the KDC will disallow a client from requesting
for a forwardable ticket. However, the kinit client still has to
explicitly request for a forwardable ticket.
- Ted
