kadmin can't use TGT based?

Mark Roach mrroach at okmaybe.com
Tue Jan 4 19:01:02 EST 2005


On Tue, 04 Jan 2005 15:36:23 -0500, Sam Hartman wrote:

>>>>>> "Chaskiel" == Chaskiel M Grundman <cg2v at andrew.cmu.edu> writes:
>     Chaskiel> If your realm is set up properly, then yes. It is proper
>     Chaskiel> practice to set DISALLOW_TGT_BASED on the kadmin/admin,
>     Chaskiel> kadmin/changepw, and changepw/kerberos service
>     Chaskiel> principals. that is however a policy decision, not
>     Chaskiel> anything that is fixed in the protocol.
> 
> Well, I think the MIT kadmind actually enforces this itself even if
> you don't set the KDC policy.

I think this must be true (I haven't yet checked the source) as some of my
user/admin principals do not have that flag set, but it still shows in the
logs.

Thank you both for your responses.

-Mark


More information about the Kerberos mailing list