kadmin can't use TGT based?
Sam Hartman
hartmans at MIT.EDU
Tue Jan 4 15:36:23 EST 2005
>>>>> "Chaskiel" == Chaskiel M Grundman <cg2v at andrew.cmu.edu> writes:
Chaskiel> --On Monday, January 03, 2005 00:19:47 +0000 Mark Roach
Chaskiel> <mrroach at okmaybe.com> wrote:
>> Hi, I'm fairly new to Kerberos. I want to verify that I
>> understand this item correctly: Is it true that you can not use
>> a TGT based ticket to connect to the kadmin server?
Chaskiel> If your realm is set up properly, then yes. It is proper
Chaskiel> practice to set DISALLOW_TGT_BASED on the kadmin/admin,
Chaskiel> kadmin/changepw, and changepw/kerberos service
Chaskiel> principals. that is however a policy decision, not
Chaskiel> anything that is fixed in the protocol.
Well, I think the MIT kadmind actually enforces this itself even if
you don't set the KDC policy.
--Sam
More information about the Kerberos
mailing list