[krbdev.mit.edu #6337] kadmin should force non-forwardable tickets
Russ Allbery <rra@stanford.edu> via RT
rt-comment at krbdev.mit.edu
Tue Jan 13 15:38:00 EST 2009
We make forwardable tickets the default in the [libdefaults] section of
our krb5.conf file, but we disable forwardable tickets for privileged
principals (*/root, */admin). Authenticating to kadmin with a password
as a privileged account therefore fails on systems with our default
krb5.conf file.
In kadm5_gic_iter() when authenticating with a password, the client
library sets up krb5_get_init_creds_opt structure but doesn't set any
parameters in it. Since the acquired credentials are going into a
memory cache specific to that client invocation, forwardable tickets are
pointless. I think the kadmin client library should therefore force the
forwardable option (and probably the proxiable option and renewable
time) to false.
More information about the krb5-bugs
mailing list