2 preauth questions
Dennis Davis
D.H.Davis at bath.ac.uk
Fri Nov 18 04:55:46 EST 2011
On Thu, 17 Nov 2011, Chris Hecker wrote:
> From: Chris Hecker <checker at d6.com>
> To: "kerberos at mit.edu" <kerberos at mit.edu>
> Date: Thu, 17 Nov 2011 23:49:39
> Subject: 2 preauth questions
...
> 2. On a related note, is there any way to default
> +requires_preauth on princs? There are password policies, but I
> didn't see any way to have attribute policies that would allow
> +requires_preauth +disallow_svr as the default for all my princs
> created through kadmin manually. When I create accounts using my
> perl Authen::Krb5::Admin scripts, I set the flags correctly, of
> course, it's just sometimes nice to drop into kadmin quickly to
> make a test account.
You could use the default_principal_flags setting in the realms
section of your kdc.conf file. Then the kdc takes care of some
defaults. I've used:
default_principal_flags = +postdateable,+forwardable,+tgt-based,+renewable,+proxiable,+dup-skey,+allow-tickets,+service,+preauth
Note: the above +preauth setting will only work on service
principals if you're using a recent version of MIT's software.
I raised this point some time ago and I vaguely remember Greg
Hudson explaining why this is so. However we currently don't want
+preauth set on service principals. Just in case we have old "user"
principals still without +preauth. This shouldn't be the case,
We're just being cautious. So this "wrong" behaviour in older
software is fine with us.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk Phone: +44 1225 386101
More information about the Kerberos
mailing list