Kind of Tickets Granting Control List

Damien Touraine damien.touraine at limsi.fr
Wed Feb 5 04:13:57 EST 2014


On 05/02/2014 06:40, Greg Hudson wrote:
> On 02/04/2014 11:39 PM, Damien Touraine wrote:
>> I am looking for a method to filter ticket granting.
>> For instance, I have two NFS servers (nfs/server1 at REALM and
>> nfs/server2 at REALM) and one computer client (nfs/client at REALM).
>> I want kerberos to grant nfs/client at REALM for nfs/server1 at REALM, but
>> forbid nfs/client at REALM for nfs/server2 at REALM.
>> Is it possible ?
> The traditional Kerberos viewpoint is that access control takes places
> on the application server, not the KDC, so it is the responsibility of
> nfs/server2 to decide what privileges, if any, to grant to nfs/client.
> There have always been exceptions (such as the unwillingness of the KDC
> to grant TGS requests for the kadmin service by default), but in general
> that's been the party line.  Because of that, there aren't very many
> administrator-visible policy facilities in the MIT krb5 KDC.  I believe
> there isn't any way to do what you want without editing the KDC source
> code or creating a new KDB module.
>
> We have been considering adding a ticket policy plugin interface in a
> future release, and may do so in the future, but we don't currently have
> a timeline for it.
>
Hi Greg,

Thank you for your answer.
I'm not completely dummy in C developpement and the kdc source code 
seems clean. Do you think I can try to investigate the development of 
such ticket policy plugin interface ? Although I don't guarantee that I 
will manage to produce something. Do you have specifications on such 
behaviour ?

Regards,
Damien



More information about the Kerberos mailing list