kadmin can't use TGT based?
Mark Roach
mrroach at okmaybe.com
Tue Jan 4 19:01:02 EST 2005
On Tue, 04 Jan 2005 15:36:23 -0500, Sam Hartman wrote:
>>>>>> "Chaskiel" == Chaskiel M Grundman <cg2v at andrew.cmu.edu> writes:
> Chaskiel> If your realm is set up properly, then yes. It is proper
> Chaskiel> practice to set DISALLOW_TGT_BASED on the kadmin/admin,
> Chaskiel> kadmin/changepw, and changepw/kerberos service
> Chaskiel> principals. that is however a policy decision, not
> Chaskiel> anything that is fixed in the protocol.
>
> Well, I think the MIT kadmind actually enforces this itself even if
> you don't set the KDC policy.
I think this must be true (I haven't yet checked the source) as some of my
user/admin principals do not have that flag set, but it still shows in the
logs.
Thank you both for your responses.
-Mark
More information about the Kerberos
mailing list