Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR
Ken Raeburn
raeburn at MIT.EDU
Wed Jun 18 16:54:04 EDT 2008
On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
> I believe that the meaning of allow_tix should be altered such that
> it only applies to the client
> in a TGS or AS request. This would permit -allow_tix to be applied
> to a service principal
> and ensure that no client ticket requests can be satisfied for that
> service principal while at
> the same time permitting other principals to obtain service tickets.
> Organizations that wish to disable the issuance of service tickets
> for the service principal
> would apply -allow_svr to the principal in addition to -allow_tix.
I think it should be pointed out that such a change would allow
tickets to start being issued where currently they would not when the
KDC software gets updated -- even if the latter really was the intent
of the realm administrator. Because of that, we might instead want to
create a new flag with the semantics Jeff wants, and leave the
existing flag with its current (suboptimal) behavior.
Ken
More information about the Kerberos
mailing list