kadm5.acl rights for foreign principals

Jayen Ashar jayen at science.unsw.edu.au
Mon Jul 2 04:04:21 EDT 2012


Hi,

Any chance this has changed in the last ten years?  I notice that in
the install guide[1], there is an example kadm5.acl with users from
two different realms.  I tried this, but kadmin keeps trying to
contact the user's realm's kdc to get a service key for kadmin/admin
instead of contacting the specified realm's kdc.  (In the example
below, kadmin contacts ADTEST for the service principal kadmin/admin,
where I think it should be contacting SCIENCE.  192.168.56.101 is
SCIENCE's admin server, but it is not being contacted.)

> kadmin -r SCIENCE.UNSW.EDU.AU -p z3208682_sa at ADTEST.UNSW.EDU.AU -s 192.168.56.101
Authenticating as principal z3208682_sa at ADTEST.UNSW.EDU.AU with password.
Password for z3208682_sa at ADTEST.UNSW.EDU.AU:
Password for z3208682_sa at ADTEST.UNSW.EDU.AU:
kadmin: Database error! Required KADM5 principal missing while
initializing kadmin interface

Thanks,
Jayen

[1] http://web.mit.edu/kerberos/krb5-latest/krb5-1.10.2/doc/krb5-install.html#Add-Administrators-to-the-Acl-File

On Wed, Mar 13, 2002 at 6:25 AM, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
> >Kerberos FAQ states its possible (althoug does not recommend)
> >we can refer foreign principals giving them rights in kadm5.acl
> >file if we trust foreign KDC.
>
> Are you sure it says that?  As the author of the Kerberos FAQ, I can't
> find that (it does mention about ACLs, but doesn't specifically mention
> kadm5.acl).
>
> >Since we have a multi-realm KDC and in real life the same
> >people will manage those realms, I'd like to give permissions
> >to the same principal and if possible I wouldn't like
> >create user/admin at REALM1, user/admin at REALM2. I just want to
> >insert a entry for user/admin at REALM1 in kadm5.acl file
> >for each domain.
>
> Unfortunately ... because kadmin/admin is set to only allow AS_REQ based
> requests (which you don't want to change, trust me) and there's no way
> to do cross-realm without a TGS-based request, then you're stuck.  You can't
> do what you want.
>
> --Ken
>


More information about the Kerberos mailing list