Cross realm kadmin

Greg Hudson ghudson at
Mon Mar 25 12:16:36 EDT 2019

On 3/25/19 7:28 AM, Kenneth MacDonald wrote:
> If this behaviour is impossible, I will have to ensure all my
> management hosts default to the same realm that they are managing.  Or
> is there something I am missing?

I don't think it can work with kadmin -k (authenticating from keytab),
because kadmin will try to use the keytab to directly get credentials
for the server realm with an AS request.  Since is no cross-realm for AS
requests, it winds up getting credentials for the client realm instead.

I was able to make cross-realm kadmin work in a test environment with
kadmin -c.  I ran kinit normally, then used kvno to explicitly get
tickets for kadmin/admin at TEST.  The kvno step is necessary because
kadmin -c expects the necessary credential to already be present in the
ccache; it won't make a TGS request for them.  Then I ran kadmin -c
/path/to/ccache -r TEST.  Of course I also had to remove the
DISALLOW_TGT_BASED flag from the kadmin/admin at TEST principal entry, as
you did in your tests.

More information about the Kerberos mailing list