Obtaining Service Ticket with TGT only (via shell commands)

Frank Gruellich frank.gruellich at navteq.com
Wed Mar 25 06:46:34 EDT 2009

Greg Hudson wrote:
> On Tue, 2009-03-24 at 17:25 +0100, Frank Gruellich wrote:
>> But for some reason it does not work with the kadmin/admin service
>> principal:
> If you go into kadmin and run "getprinc kadmin/admin", you should see:
>         Attributes: DISALLOW_TGT_BASED
> which means you can only get a ticket for this principal with an initial
> ticket request and not with a TGT.  You can change this with "modprinc
> +allow_tgs_req kadmin/admin"

True, works.  Thanks.

> but I believe that would compromise the requirement that people have
> to reenter their passwords in order to run kadmin.

But that's, in fact, my intention.  I know, that kadmin is some kind of
critical tool.  If security aspects are the only problem with this set
up I'll drop them.  I accept that kadmin/admin service is just something
like host/eloy.example.com.

> For the purposes of your script, you can either treat a "KDC policy
> rejects request" error as an indication that the principal exists, or
> you can assume you won't run into that situation on any of the
> principals you are managing with the script.

Oh, that's a good idea, too.  But at some point the script's caller has
to do changes to the KDC database, so I need the kadmin/admin ticket

Thanks a lot for your help.

Kind regards,
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

More information about the Kerberos mailing list