kadm5.acl rights for foreign principals
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Mar 12 14:25:38 EST 2002
>Kerberos FAQ states its possible (althoug does not recommend)
>we can refer foreign principals giving them rights in kadm5.acl
>file if we trust foreign KDC.
Are you sure it says that? As the author of the Kerberos FAQ, I can't
find that (it does mention about ACLs, but doesn't specifically mention
kadm5.acl).
>Since we have a multi-realm KDC and in real life the same
>people will manage those realms, I'd like to give permissions
>to the same principal and if possible I wouldn't like
>create user/admin at REALM1, user/admin at REALM2. I just want to
>insert a entry for user/admin at REALM1 in kadm5.acl file
>for each domain.
Unfortunately ... because kadmin/admin is set to only allow AS_REQ based
requests (which you don't want to change, trust me) and there's no way
to do cross-realm without a TGS-based request, then you're stuck. You can't
do what you want.
--Ken
More information about the Kerberos
mailing list