Cross realm kadmin
Kenneth MacDonald
Kenneth.MacDonald at ed.ac.uk
Mon Mar 25 07:28:33 EDT 2019
We have two MIT krb5 realms: LIVE and TEST.
I would like to add principals from LIVE into TEST's kadm5.acl file so
they can manage the TEST realm's principals, authenticating from
keytabs.
>From what I can glean in the archives this isn't possible due to to
kadmin/admin at TEST being denied to TGS requests, which includes cross
realm trust links.
I tried removing the DISALLOW_TGT_BASED flag from kadmin/admin at TEST
with no effect.
The kadmin command on a host in the LIVE realm obtained a
kadmin/admin at LIVE ticket and presented that to the TEST kadmin server
which of course couldn't verify it.
If this behaviour is impossible, I will have to ensure all my
management hosts default to the same realm that they are managing. Or
is there something I am missing?
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the Kerberos
mailing list