Obtaining Service Ticket with TGT only (via shell commands)
Frank Gruellich
frank.gruellich at navteq.com
Wed Mar 25 06:46:34 EDT 2009
Greg Hudson wrote:
> On Tue, 2009-03-24 at 17:25 +0100, Frank Gruellich wrote:
>> But for some reason it does not work with the kadmin/admin service
>> principal:
> If you go into kadmin and run "getprinc kadmin/admin", you should see:
>
> Attributes: DISALLOW_TGT_BASED
>
> which means you can only get a ticket for this principal with an initial
> ticket request and not with a TGT. You can change this with "modprinc
> +allow_tgs_req kadmin/admin"
True, works. Thanks.
> but I believe that would compromise the requirement that people have
> to reenter their passwords in order to run kadmin.
But that's, in fact, my intention. I know, that kadmin is some kind of
critical tool. If security aspects are the only problem with this set
up I'll drop them. I accept that kadmin/admin service is just something
like host/eloy.example.com.
> For the purposes of your script, you can either treat a "KDC policy
> rejects request" error as an indication that the principal exists, or
> you can assume you won't run into that situation on any of the
> principals you are managing with the script.
Oh, that's a good idea, too. But at some point the script's caller has
to do changes to the KDC database, so I need the kadmin/admin ticket
anyway.
Thanks a lot for your help.
Kind regards,
--
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks
Duesseldorfer Strasse 40a
65760 Eschborn
Germany
Phone: +49 6196 77756-414
Fax: +49 6196 77756-100
USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman
More information about the Kerberos
mailing list