kadm5.acl rights for foreign principals
Marcio d'Avila Scheibler
marcio at cpd.ufsm.br
Tue Mar 12 14:05:20 EST 2002
Hello,
Kerberos FAQ states its possible (althoug does not recommend)
we can refer foreign principals giving them rights in kadm5.acl
file if we trust foreign KDC.
Since we have a multi-realm KDC and in real life the same
people will manage those realms, I'd like to give permissions
to the same principal and if possible I wouldn't like
create user/admin at REALM1, user/admin at REALM2. I just want to
insert a entry for user/admin at REALM1 in kadm5.acl file
for each domain.
When I start kadmin client, it aborts with the following
error:
-----
$ kadmin -r REALM1 -s kdc:port -p user/admin at SUB.REALM1
Authenticating as principal user/admin at SUB.REALM1 with password.
kadmin: Client/server realm mismatch in initial ticket request while
initializing kadmin interface
-----
I'm monitoring with tcpdump and it does not shows any
traffic between kadmin client workstation and KDC. I tried it
by other way:
--
$ kinit -f user/admin at SUB.REALM1 # works ok
$ kadmin -r REALM1 -s kdc:port -p user/admin at SUB.REALM1 -c /tmp/krb5cc_1000
Authenticating as principal user/admin at SUB.REALM1 with existing
credentials.
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
--
In this second way, workstation and KDC talks with each other, and
kdc log shows the following lines:
---
Mar 12 15:55:09 rex.ufsm.br krb5kdc[130](info): TGS_REQ (3 etypes {16 3
1}) 200.18.32.104(88): TGT BASED NOT ALLOWED: authtime 1015953641,
user/admin at SUB.REALM1 for kadmin/admin at REALM1, KDC policy rejects
request
---
I had already done hierarquical cross-realm setup between
REALM1 and SUB.REALM1 and it works for other apps (telnet for
instance). I'm running MIT krb5 v1.2.3.
So the question: is it possible a "foreign" principal receive
admin rights for a database realm ?
What's the configuration trick for that ?
Thanks in advance.
------------------------------------------------------------------------------
Marcio d'Avila Scheibler - Divisao de Suporte (marcio at cpd.ufsm.br)
Centro de Processamento de Dados - Campus Universitario - CEP 97105-900
Universidade Federal de Santa Maria - RS - Brasil
=============================================================================
More information about the Kerberos
mailing list