kadm5.acl rights for foreign principals
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Mar 12 14:36:26 EST 2002
>If only GSS-API had a concept of "initial" credentials so that acceptors
>could request initial credentials. But that would necessitate a
>gss_acquire_cred() API that could handle user prompting.
I don't even think this is a GSSAPI issue. I mean, you can't do cross-realm
unless you're doing a TGS_REQ, and you're prohibited from using a TGS_REQ
to get a kadmin/admin ticket. You couldn't fix this even with raw Kerberos.
--Ken
More information about the Kerberos
mailing list