Kind of Tickets Granting Control List

Greg Hudson ghudson at MIT.EDU
Wed Feb 5 00:40:05 EST 2014


On 02/04/2014 11:39 PM, Damien Touraine wrote:
> I am looking for a method to filter ticket granting.
> For instance, I have two NFS servers (nfs/server1 at REALM and
> nfs/server2 at REALM) and one computer client (nfs/client at REALM).
> I want kerberos to grant nfs/client at REALM for nfs/server1 at REALM, but
> forbid nfs/client at REALM for nfs/server2 at REALM.
> Is it possible ?

The traditional Kerberos viewpoint is that access control takes places
on the application server, not the KDC, so it is the responsibility of
nfs/server2 to decide what privileges, if any, to grant to nfs/client.
There have always been exceptions (such as the unwillingness of the KDC
to grant TGS requests for the kadmin service by default), but in general
that's been the party line.  Because of that, there aren't very many
administrator-visible policy facilities in the MIT krb5 KDC.  I believe
there isn't any way to do what you want without editing the KDC source
code or creating a new KDB module.

We have been considering adding a ticket policy plugin interface in a
future release, and may do so in the future, but we don't currently have
a timeline for it.


More information about the Kerberos mailing list