kadmin can't use TGT based?

Chaskiel M Grundman cg2v at andrew.cmu.edu
Mon Jan 3 17:08:42 EST 2005



--On Monday, January 03, 2005 00:19:47 +0000 Mark Roach
<mrroach at okmaybe.com> wrote:

> Hi, I'm fairly new to Kerberos. I want to verify that I understand this
> item correctly: Is it true that you can not use a TGT based ticket to
> connect to the kadmin server? 
If your realm is set up properly, then yes. It is proper practice to set 
DISALLOW_TGT_BASED on the kadmin/admin, kadmin/changepw, and
changepw/kerberos service principals. that is however a policy decision,
not anything that is fixed in the protocol.

> This means that
> any application that uses the kadm5clnt library must prompt for a password
> and use kadm5_init_with_password in order to connect successfully, right?
in most circumstances, yes, applications need to be able to prompt for a
password.
 
> If that is the case, what is the purpose of kadm5_init_with_creds?
it is possible to obtain and store credentials for kadmin/admin in a ccache
(instead of storing krbtgt credentials) with kinit (see -S) or a custom
program if you wanted to invoke a kadm5client-using program more than once
in a short time period and did not want to re-enter the password.


More information about the Kerberos mailing list