kadm5 API questions
ghudson at mit.edu
Thu Mar 21 11:20:21 EDT 2019
On 3/21/19 3:55 AM, Rick van Rein wrote:
> There is some mention in the code about old and new GSS-API
> authentication (kadmin options -O and -N to force). What is the
> difference, and is the new style still based on GSS-API?
They are both based on GSS-API. I'd have to review the code to detail
the differences. You'd only want to use old-style authentication when
talking to a very old server, and even then it should fall back without
> IIRC, a property of GSS-API is that it will automatically
> re-authenticate when a credential has expired. Does this apply to the
> old and new GSS-API mechanisms too?
That is not a property of GSS-API, and it can't be. The message
exchanges needed for re-authentication wouldn't fit into the application
protocol, since the application is just passing gss_wrap() tokens from
one side to the other.
> Even if I have a krb5_context already, I seem to need a separate one for
> kadm5 use. Is this because the plain context is about local management,
> and the kadm5 is more like a client-to-a-service context, possibly using
> its own identity, addressing another realm, that sort of thing?
The context initialized with kadm5_init_krb5_context() can be used for
other purposes as well, so you don't need a separate context.
kadm5_init_krb5_context() just calls krb5_init_context() when you link
with the libkadm5clnt. When you link with libkadm5srv, it initializes a
context that reads kdc.conf as well as krb5.conf.
> Is it true that kadmind can only serve one realm? That would be
> different from the KDC, and a bit of a surprise. It increases the
> burden of adding a new realm, especially when this is automated.
Yes. I would consider a patch for multi-realm support.
> My KXOVER daemon identifies as kxover/public. Do I need to have that
> name in every realm it manages, or is it sufficient to have an ACL
> setting permitting an identity from another realm adding and removing
> principals through kadm5? [inconsistent test results]
The kadm5 protocol ordinarily requires initial tickets. Since
cross-realm tickets can only be obtained through a TGS request, there
are some obstacles to using kadmin across realms.
>From memory and a brief look at the code, it might be possible to use
cross-realm tickets if:
* You use kadm5_init_with_creds() or kadm5_init_with_skey(), not
* You remove the DISALLOW_TGT_BASED flag on the kadmin/admin and
kadmin/<hostname> principal entries.
* You don't perform self-service key change operations (principals
changing their own passwords or keys).
More information about the Kerberos