OTP and kadmin
Greg Hudson
ghudson at mit.edu
Mon Jan 9 10:49:50 EST 2017
On 01/09/2017 09:35 AM, Felix Weissbeck wrote:
> That does acually already work for me since i already have a little wrapper to
> obtain these admin tickets, so that my users get two prompts for Password and
> Yubikey. I can just add the kadmin funcionality there.
I'm glad you found a workaround. I think I see two issues here:
1. kadmin has no equivalent of the kinit -T option.
2. Users should never see an "Invalid argument" error message.
Unfortunately, I can't reproduce this; in similar circumstances, I get a
"Generic preauthentication failure" message as I would expect. (That
error message could probably be improved, but it's at least better than
an EINVAL.)
Can you run one of the failing cases with KRB5_TRACE=/dev/stdout and
send me the output?
More information about the Kerberos
mailing list