OTP and kadmin

Felix Weissbeck contact-kerberos at w7k.de
Mon Jan 9 09:35:25 EST 2017


Hi Ben and thanks for your help.

On Sonntag, 8. Januar 2017 12:33:26 CET Benjamin Kaduk wrote:
> One thing to try would be separating getting tickets and authenticating
> to kadmin, aka
> 
> kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r5m -l5m user/admin
> kadmin -c FILE:/tmp/krb5cc_admin -p user/admin

OK, getting the Service principal with only my existing princ does not excatly 
work; this returns "kinit: Invalid argument while getting initial credentials"
If i change it to match  the whole preauth stuff it works: 

root at ldap:~# kdestroy -A
root at ldap:~# kinit -n
root at ldap:~# kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r 5m -l 5m -T 
FILE:/tmp/krb5cc_0_iC5PjpBw3M fe/admin at W7K.DE
Enter OTP Token Value:
root at ldap:~# kadmin -c FILE:/tmp/krb5cc_admin
Authenticating as principal fe/admin at W7K.DE with existing credentials.
kadmin:  list_principals
 HTTP/..........
 HTTP/...

> That would make it more clear if it is just a failure in the kadmin client
> logic.
To me this seems to be the case. 
> -Ben

That does acually already work for me since i already have a little wrapper to 
obtain these admin tickets, so that my users get two prompts for Password and 
Yubikey.  I can just add the kadmin funcionality there.

Regards 
  Felix 


More information about the Kerberos mailing list