MacOSX Tiger kadmin uses a non-standard service principal
Tom Yu
tlyu at MIT.EDU
Thu May 5 17:46:07 EDT 2005
>>>>> "benp" == Ben Poliakoff <benp at reed.edu> writes:
benp> Has anyone else noticed that the kadmin command on the recently released
benp> Mac OS 10.4 (aka "Tiger") wants to use a "non-standard" kadmin service
benp> principal?
[...]
benp> I may well have missed something; is a new "standard" emerging? MIT
benp> krb5-1.4.1 doesn't seem to look for "kadmin/<FQDN>@<REALM>" (it happily
benp> uses the same "kadmin/admin@<REALM>" format it always has).
benp> Presumably if I create the principal "kadmin/<FQDN>@<REALM>" and add it
benp> to my kadmind's keytab then kadmin on my Tiger machines will work. But
benp> it's rather annoying to be "blackmailed" into making a modification like
benp> this on one's KDC.
The admin protocol changed in krb5-1.4 (which is what Tiger's krb5 is
based on), for compatibility with Sun's kadmin protocol, which uses
the standards-track RPCSEC_GSS authentication flavor, rather than the
old non-standard authentication flavor used previously. Sun's kadmin
protocol uses kadmin/FQDN rather than kadmin/admin for the service
principal. Support for transparent fallback of the kadmin protocol
was not implemented until krb5-1.4.1.
One workaround is to invoke the kadmin client with the "-O" flag to
force the use of the old protocol, or to upgrade to krb5-1.4.1. I
don't know when Apple intends to pick up krb5-1.4.1.
---Tom
More information about the Kerberos
mailing list