OTP and kadmin
Felix Weissbeck
contact-kerberos at w7k.de
Mon Jan 9 09:35:25 EST 2017
Hi Ben and thanks for your help.
On Sonntag, 8. Januar 2017 12:33:26 CET Benjamin Kaduk wrote:
> One thing to try would be separating getting tickets and authenticating
> to kadmin, aka
>
> kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r5m -l5m user/admin
> kadmin -c FILE:/tmp/krb5cc_admin -p user/admin
OK, getting the Service principal with only my existing princ does not excatly
work; this returns "kinit: Invalid argument while getting initial credentials"
If i change it to match the whole preauth stuff it works:
root at ldap:~# kdestroy -A
root at ldap:~# kinit -n
root at ldap:~# kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r 5m -l 5m -T
FILE:/tmp/krb5cc_0_iC5PjpBw3M fe/admin at W7K.DE
Enter OTP Token Value:
root at ldap:~# kadmin -c FILE:/tmp/krb5cc_admin
Authenticating as principal fe/admin at W7K.DE with existing credentials.
kadmin: list_principals
HTTP/..........
HTTP/...
> That would make it more clear if it is just a failure in the kadmin client
> logic.
To me this seems to be the case.
> -Ben
That does acually already work for me since i already have a little wrapper to
obtain these admin tickets, so that my users get two prompts for Password and
Yubikey. I can just add the kadmin funcionality there.
Regards
Felix
More information about the Kerberos
mailing list