Cross realm kadmin

Kenneth MacDonald Kenneth.MacDonald at
Mon Mar 25 07:28:33 EDT 2019

We have two MIT krb5 realms: LIVE and TEST.

I would like to add principals from LIVE into TEST's kadm5.acl file so
they can manage the TEST realm's principals, authenticating from

>From what I can glean in the archives this isn't possible due to to 
kadmin/admin at TEST being denied to TGS requests, which includes cross
realm trust links.

I tried removing the DISALLOW_TGT_BASED flag from kadmin/admin at TEST
with no effect.

The kadmin command on a host in the LIVE realm obtained a 
kadmin/admin at LIVE ticket and presented that to the TEST kadmin server
which of course couldn't verify it.

If this behaviour is impossible, I will have to ensure all my
management hosts default to the same realm that they are managing.  Or
is there something I am missing?



The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the Kerberos mailing list