Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR
Nicolas Williams
Nicolas.Williams at sun.com
Wed Jun 18 17:13:44 EDT 2008
On Wed, Jun 18, 2008 at 04:54:04PM -0400, Ken Raeburn wrote:
> On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
> > I believe that the meaning of allow_tix should be altered such that
> > it only applies to the client
> > in a TGS or AS request. This would permit -allow_tix to be applied
> > to a service principal
> > and ensure that no client ticket requests can be satisfied for that
> > service principal while at
> > the same time permitting other principals to obtain service tickets.
> > Organizations that wish to disable the issuance of service tickets
> > for the service principal
> > would apply -allow_svr to the principal in addition to -allow_tix.
>
> I think it should be pointed out that such a change would allow
> tickets to start being issued where currently they would not when the
> KDC software gets updated -- even if the latter really was the intent
> of the realm administrator. Because of that, we might instead want to
> create a new flag with the semantics Jeff wants, and leave the
> existing flag with its current (suboptimal) behavior.
Or provide a migration script.
More information about the Kerberos
mailing list